sbx: add org policy recipes page#25234
Draft
dvdksn wants to merge 4 commits into
Draft
Conversation
Add a governance page with minimal, composable network policy presets for common sandbox workflows (developer essentials, package registries, container images, Claude Code, Codex), in both Admin Console and Governance API form. Link it from the governance index. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
docker-agent
reviewed
Jun 2, 2026
Reframe the GitLab/Bitbucket note as swapping GitHub for equivalent hosts, and point readers to sbx policy log / the Monitoring page for discovering which domains a workflow needs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Match the worked example to the recipe table so ARM-based sandboxes can reach the Ubuntu ARM mirrors. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
A rule without a port matches any port; only a :port suffix restricts. Reword the note accordingly and drop the redundant :80 entries, since bare hostnames already cover the HTTP and HTTPS ports the proxy handles. ports.ubuntu.com (bare) still covers the ARM mirror on port 80. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
Author
|
Waiting on the audit log + team policy PRs to merge before I resume this one, to avoid too many conflicts. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a governance page with minimal, composable network policy presets for common sandbox workflows — developer essentials (GitHub, certificate validation, Ubuntu packages), per-language package registries, container images, and agent-specific blocks for Claude Code and Codex. Each recipe is given in both Admin Console (rule tables) and Governance API (curl) form.
Org policies are deny-by-default, so the page is framed as minimal building blocks an admin composes, explicitly contrasted with the broad local Balanced preset. Domains are sourced from the sbx balanced preset and trimmed to a minimal canonical set per block.
Learnings
content/reference/api/ai-governance/api.yaml: base URLhttps://hub.docker.com/v2, bearer JWT exchanged from a PAT/OAT at/users/login, network allow rules use actionsconnect:tcp/connect:udp.Generated by Claude Code