thaloco/pyro-mcp
1
Fork 0
Code Pull requests Releases Packages Activity Actions
pyro-mcp/docs/roadmap/task-workspace-ga/2.10.0-network-policy-and-host-port-publication.md
Thales Maciel c82f4629b2 Add workspace network policy and published ports 
Replace the workspace-level boolean network toggle with explicit network policies and attach localhost TCP publication to workspace services.

Persist network_policy in workspace records, validate --publish requests, and run host-side proxy helpers that follow the service lifecycle so published ports are cleaned up on failure, stop, reset, and delete.

Update the CLI, SDK, MCP contract, docs, roadmap, and examples for the new policy model, add coverage for the proxy and manager edge cases, and validate with uv lock, UV_CACHE_DIR=.uv-cache make check, UV_CACHE_DIR=.uv-cache make dist-check, and a real guest-backed published-port probe smoke.
2026-03-12 18:12:57 -03:00

45 lines
1.3 KiB
Markdown
Raw Blame History

# `2.10.0` Network Policy And Host Port Publication
Status: Done
## Goal
Replace the coarse current network toggle with an explicit workspace network
policy and make services host-probeable through controlled published ports.
## Public API Changes
- `workspace create` gains explicit network policy instead of a simple boolean
- `workspace service start` gains published-port configuration
- `workspace service status/list` returns published-port information
Recommended policy model:
- `off`
- `egress`
- `egress+published-ports`
## Implementation Boundaries
- Host port publication is localhost-only by default.
- Ports remain attached to services, not generic VM networking.
- Published-port details are queryable from CLI, SDK, and MCP.
- Keep network access explicit and visible in the workspace spec.
## Non-Goals
- no remote exposure defaults
- no advanced ingress routing
- no general-purpose networking product surface
## Acceptance Scenarios
- start a service, wait for readiness, probe it from the host, inspect logs,
then stop it
- keep a workspace fully offline and confirm no implicit network access exists
## Required Repo Updates
- docs that show app validation from the host side
- examples that use typed readiness plus localhost probing
- real Firecracker smoke for published-port probing
View git blame Copy permalink