# `2.10.0` Network Policy And Host Port Publication

Status: Done

## Goal

Replace the coarse current network toggle with an explicit workspace network
policy and make services host-probeable through controlled published ports.

## Public API Changes

- `workspace create` gains explicit network policy instead of a simple boolean
- `workspace service start` gains published-port configuration
- `workspace service status/list` returns published-port information

Recommended policy model:

- `off`
- `egress`
- `egress+published-ports`

## Implementation Boundaries

- Host port publication is localhost-only by default.
- Ports remain attached to services, not generic VM networking.
- Published-port details are queryable from CLI, SDK, and MCP.
- Keep network access explicit and visible in the workspace spec.

## Non-Goals

- no remote exposure defaults
- no advanced ingress routing
- no general-purpose networking product surface

## Acceptance Scenarios

- start a service, wait for readiness, probe it from the host, inspect logs,
  then stop it
- keep a workspace fully offline and confirm no implicit network access exists

## Required Repo Updates

- docs that show app validation from the host side
- examples that use typed readiness plus localhost probing
- real Firecracker smoke for published-port probing