Add workspace network policy and published ports

Replace the workspace-level boolean network toggle with explicit network policies and attach localhost TCP publication to workspace services. Persist network_policy in workspace records, validate --publish requests, and run host-side proxy helpers that follow the service lifecycle so published ports are cleaned up on failure, stop, reset, and delete. Update the CLI, SDK, MCP contract, docs, roadmap, and examples for the new policy model, add coverage for the proxy and manager edge cases, and validate with uv lock, UV_CACHE_DIR=.uv-cache make check, UV_CACHE_DIR=.uv-cache make dist-check, and a real guest-backed published-port probe smoke.
2026-03-12 18:12:57 -03:00 · 2026-03-12 18:12:57 -03:00 · c82f4629b2
commit c82f4629b2
parent fc72fcd3a1
21 changed files with 1944 additions and 49 deletions
--- a/tests/test_api.py
+++ b/tests/test_api.py
@ -123,6 +123,74 @@ def test_pyro_create_vm_defaults_sizing_and_host_compat(tmp_path: Path) -> None:
    assert created["allow_host_compat"] is True


+def test_pyro_workspace_network_policy_and_published_ports_delegate() -> None:
+    calls: list[tuple[str, dict[str, Any]]] = []
+
+    class StubManager:
+        def create_workspace(self, **kwargs: Any) -> dict[str, Any]:
+            calls.append(("create_workspace", kwargs))
+            return {"workspace_id": "workspace-123"}
+
+        def start_service(
+            self,
+            workspace_id: str,
+            service_name: str,
+            **kwargs: Any,
+        ) -> dict[str, Any]:
+            calls.append(
+                (
+                    "start_service",
+                    {
+                        "workspace_id": workspace_id,
+                        "service_name": service_name,
+                        **kwargs,
+                    },
+                )
+            )
+            return {"workspace_id": workspace_id, "service_name": service_name, "state": "running"}
+
+    pyro = Pyro(manager=cast(Any, StubManager()))
+
+    pyro.create_workspace(
+        environment="debian:12",
+        network_policy="egress+published-ports",
+    )
+    pyro.start_service(
+        "workspace-123",
+        "web",
+        command="python3 -m http.server 8080",
+        published_ports=[{"guest_port": 8080, "host_port": 18080}],
+    )
+
+    assert calls[0] == (
+        "create_workspace",
+        {
+            "environment": "debian:12",
+            "vcpu_count": 1,
+            "mem_mib": 1024,
+            "ttl_seconds": 600,
+            "network_policy": "egress+published-ports",
+            "allow_host_compat": False,
+            "seed_path": None,
+            "secrets": None,
+        },
+    )
+    assert calls[1] == (
+        "start_service",
+        {
+            "workspace_id": "workspace-123",
+            "service_name": "web",
+            "command": "python3 -m http.server 8080",
+            "cwd": "/workspace",
+            "readiness": None,
+            "ready_timeout_seconds": 30,
+            "ready_interval_ms": 500,
+            "secret_env": None,
+            "published_ports": [{"guest_port": 8080, "host_port": 18080}],
+        },
+    )
+
+
 def test_pyro_workspace_methods_delegate_to_manager(tmp_path: Path) -> None:
    pyro = Pyro(
        manager=VmManager(