feat(api): add allow_internet_access to /sandboxes/{id}/network#2433
feat(api): add allow_internet_access to /sandboxes/{id}/network#2433
Conversation
Adds the same allow_internet_access bool from the create sandbox API to the update network endpoint. When false, blocks all internet access (deny 0.0.0.0/0) via buildNetworkConfig — the same code path used at sandbox creation. When true or omitted, no effect.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
infra/packages/api/internal/orchestrator/update_network.go
Lines 49 to 53 in 38f4f76
Persist allow_internet_access on network updates
This path applies allowInternetAccess only to the egress sent to the node (buildNetworkConfig) but never writes it back to the sandbox model in updateFunc. That leaves runtime state inconsistent: GET /sandboxes/{id} keeps returning the old allowInternetAccess, and pause/resume can lose the block-all behavior because snapshot persistence reads sbx.AllowInternetAccess and sbx.Network (buildUpsertSnapshotParams in pause_instance.go). A request like { "allow_internet_access": false } therefore blocks traffic immediately but is not durable across state transitions.
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
…resume The update network handler applied the deny-all rule to the live node but didn't write AllowInternetAccess back to the sandbox store, so pause/resume would lose the setting. Also adds an integration test that verifies allow_internet_access=false survives a pause/resume cycle.
2 participants
Adds the same allow_internet_access bool from the create sandbox API to the update network endpoint. When
false, blocks all internet access (deny 0.0.0.0/0) via buildNetworkConfig — the same code path used at sandbox creation. When true or omitted, no effect.