Add workspace network policy and published ports

Replace the workspace-level boolean network toggle with explicit network policies and attach localhost TCP publication to workspace services. Persist network_policy in workspace records, validate --publish requests, and run host-side proxy helpers that follow the service lifecycle so published ports are cleaned up on failure, stop, reset, and delete. Update the CLI, SDK, MCP contract, docs, roadmap, and examples for the new policy model, add coverage for the proxy and manager edge cases, and validate with uv lock, UV_CACHE_DIR=.uv-cache make check, UV_CACHE_DIR=.uv-cache make dist-check, and a real guest-backed published-port probe smoke.
2026-03-12 18:12:57 -03:00 · 2026-03-12 18:12:57 -03:00 · c82f4629b2
commit c82f4629b2
parent fc72fcd3a1
21 changed files with 1944 additions and 49 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,15 @@

 All notable user-visible changes to `pyro-mcp` are documented here.

+## 2.10.0
+
+- Replaced the workspace-level boolean network toggle with explicit workspace network policies:
+  `off`, `egress`, and `egress+published-ports`.
+- Added localhost-only published TCP ports for workspace services across the CLI, Python SDK, and
+  MCP server, including returned host/guest port metadata on service start, list, and status.
+- Kept published ports attached to services rather than `/workspace` itself, so host probing works
+  without changing workspace diff, export, shell, or reset semantics.
+
 ## 2.9.0

 - Added explicit workspace secrets across the CLI, Python SDK, and MCP server with