@torkbot/sandbox 0.3.1 → 0.5.0

package/README.md

@@ -116,8 +116,14 @@ const sandbox = defineSandbox({
     memoryMiB: 4096,
   },
   network: network.policy(async (conn) => {
-    if (conn.host === "api.github.com") {
-      conn.allowHttp(async (request) => {
+    if (conn.matchDns("10.0.2.1")?.accept()) return;
+
+    const github = conn.transport === "tcp"
+      ? conn.matchHttp("api.github.com")
+      : undefined;
+    if (github) {
+      github.accept(async (request) => {
+        if (request.destination.hostname !== "api.github.com") return;
         request.headers.set(
           "authorization",
           `Bearer ${await githubTokens.tokenForRequest(request)}`,
@@ -125,8 +131,6 @@ const sandbox = defineSandbox({
       });
       return;
     }
-
-    conn.allowHttp();
   }),
 });
 
@@ -225,21 +229,26 @@ connection requests and grants only the traffic it explicitly allows:
 
 ```ts
 const policy = network.policy(async (conn) => {
-  if (conn.host === "registry.npmjs.org") {
-    conn.allowHttp();
+  if (conn.transport === "tcp" && conn.dst.isPublicInternet() && conn.dst.port === 443) {
+    conn.accept();
   }
 });
 ```
 
-`conn.allow()` grants HTTP(S)-classified traffic without request middleware.
-`conn.allowHttp(...)` grants HTTP(S)-classified traffic and can apply request
-middleware:
+`conn.accept()` grants the observed connection or flow at the transport layer.
+It does not classify the application protocol, does not enter HTTP middleware,
+and does not MITM TLS. `conn.acceptHttp(...)` is TCP-only and explicitly opts
+the flow into Sandbox's HTTP-family enforcement path. If the accepted flow is
+not actually HTTP or HTTPS, it fails closed.
 
 ```ts
 const policy = network.policy(async (conn) => {
-  if (conn.host !== "api.example.com") return;
+  const api = conn.transport === "tcp"
+    ? conn.matchHttp("api.example.com")
+    : undefined;
+  if (!api) return;
 
-  conn.allowHttp(async (request) => {
+  api.accept(async (request) => {
     request.headers.set(
       "authorization",
       `Bearer ${await credentialBroker.authorizationFor(request)}`,
@@ -248,10 +257,52 @@ const policy = network.policy(async (conn) => {
 });
 ```
 
+Every TCP and UDP policy request carries source and destination IP-layer
+endpoints:
+
+```ts
+conn.src.ip;
+conn.src.port;
+conn.dst.ip;
+conn.dst.port;
+```
+
+Endpoint helpers classify logical address ranges without relying on hostnames:
+`isLoopback()`, `isPrivate()`, `isLinkLocal()`, `isMulticast()`,
+`isBroadcast()`, `isDocumentation()`, `isReserved()`, and
+`isPublicInternet()`. `transport` is the TCP/UDP discriminator. Sandbox does
+not expose a best-effort `conn.protocol` classifier.
+
+HTTP middleware receives trusted destination metadata separately from the
+request URL. `request.destination.hostname` is populated only when Sandbox can
+pin the destination IP to trusted connection metadata, such as its own DNS
+answer cache. IP-addressed requests still work under `acceptHttp(...)`, but they
+do not advertise a hostname. Do not use the HTTP `Host` header as authority for
+policy decisions.
+
+For common policy checks, protocol match helpers acquire a typed capability
+before accepting traffic:
+
+```ts
+network.policy(async (conn) => {
+  if (conn.matchDns("10.0.2.1")?.accept()) return;
+
+  if (conn.transport !== "tcp") return;
+  const http = conn.matchHttp((candidate) =>
+    candidate.hostname === "api.github.com"
+  );
+  if (!http) return;
+
+  if (!(await policyManager.allow(http))) return;
+
+  http.accept((request) => policyManager.handle(request));
+});
+```
+
 Deny remains the default. If the policy callback does not create a grant, the
-connection is blocked. The `NetworkGrant` returned by `allow()` and
-`allowHttp()` is reserved as the future extension point for instance-local
-state, such as remembering a grant for a time window.
+connection is blocked. The grants returned by `accept()` and `acceptHttp()` are
+reserved as future extension points for instance-local state, such as
+remembering a grant for a time window.
 
 The runtime uses this policy shape to keep the JavaScript boundary explicit.
 Native rules can be added under the same model later without changing the
@@ -330,6 +381,14 @@ TypeScript API:
   decisions and delegate to JavaScript only when a policy callback is required.
 - HTTP request middleware is caller-provided JavaScript, but Sandbox owns the
   interception machinery and certificate plumbing.
+- When HTTP interception is enabled, the host generates the CA material and
+  passes only the public CA certificate to Sandbox init. Init does not generate
+  or manage certificates; the host exposes the supplied CA through an internal
+  read-only virtiofs mount, then init installs it using the selected rootfs'
+  native trust-store mechanism. Built-in rootfs launches use an ephemeral
+  writable COW view for HTTP interception so init can update the guest trust
+  store deterministically. If a rootfs does not provide a supported native
+  trust-store installer, init fails closed.
 
 The intended boundary is that Sandbox knows how to launch, isolate, mount,
 intercept, and enforce. User-space owns artifact selection, filesystem

package/dist/host-process.d.ts

@@ -1,13 +1,13 @@
 import { hostBinaryPath } from "./artifacts.ts";
 import type { HostControlChannel } from "./control.ts";
 import type { HostSpawnSandboxOptions } from "./spawn-options.ts";
-import type { InternalSandboxOptions, RegisteredHttpRequestHeadersHook } from "./launch-options.ts";
+import type { InternalSandboxOptions, RegisteredHttpRequestHeadersHook, RegisteredNetworkConnectionHook } from "./launch-options.ts";
 export declare class HostProcessSandboxVm implements HostControlChannel {
     #private;
     readonly hasControlSocket = true;
     readonly packets: AsyncIterable<Uint8Array>;
     private constructor();
-    static spawn(options: InternalSandboxOptions, hostOptions: HostSpawnSandboxOptions, requestHeaderHooks?: Map<string, RegisteredHttpRequestHeadersHook>): Promise<HostProcessSandboxVm>;
+    static spawn(options: InternalSandboxOptions, hostOptions: HostSpawnSandboxOptions, requestHeaderHooks?: Map<string, RegisteredHttpRequestHeadersHook>, networkConnectionHook?: RegisteredNetworkConnectionHook): Promise<HostProcessSandboxVm>;
     writeControlPacket(packet: Uint8Array): void;
     close(): Promise<void>;
     terminateHostForTest(): Promise<void>;

package/dist/host-process.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"host-process.d.ts","sourceRoot":"","sources":["../src/host-process.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,cAAc,EAAyB,MAAM,gBAAgB,CAAC;AACvE,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AACvD,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,oBAAoB,CAAC;AAQlE,OAAO,KAAK,EACV,sBAAsB,EACtB,gCAAgC,EACjC,MAAM,qBAAqB,CAAC;AAI7B,qBAAa,oBAAqB,YAAW,kBAAkB;;IAC7D,QAAQ,CAAC,gBAAgB,QAAQ;IACjC,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,UAAU,CAAC,CAAC;IAiB5C,OAAO,eAgDN;IAED,OAAa,KAAK,CAChB,OAAO,EAAE,sBAAsB,EAC/B,WAAW,EAAE,uBAAuB,EACpC,kBAAkB,GAAE,GAAG,CAAC,MAAM,EAAE,gCAAgC,CAAa,GAC5E,OAAO,CAAC,oBAAoB,CAAC,CAyB/B;IAED,kBAAkB,CAAC,MAAM,EAAE,UAAU,GAAG,IAAI,CAG3C;IAEK,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CA4B3B;IAEK,oBAAoB,IAAI,OAAO,CAAC,IAAI,CAAC,CAiB1C;CAqhBF;AA2BD,OAAO,EAAE,cAAc,EAAE,CAAC"}
+{"version":3,"file":"host-process.d.ts","sourceRoot":"","sources":["../src/host-process.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,cAAc,EAAyB,MAAM,gBAAgB,CAAC;AACvE,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AACvD,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,oBAAoB,CAAC;AAQlE,OAAO,KAAK,EACV,sBAAsB,EACtB,gCAAgC,EAChC,+BAA+B,EAChC,MAAM,qBAAqB,CAAC;AAkB7B,qBAAa,oBAAqB,YAAW,kBAAkB;;IAC7D,QAAQ,CAAC,gBAAgB,QAAQ;IACjC,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,UAAU,CAAC,CAAC;IAmB5C,OAAO,eAkDN;IAED,OAAa,KAAK,CAChB,OAAO,EAAE,sBAAsB,EAC/B,WAAW,EAAE,uBAAuB,EACpC,kBAAkB,GAAE,GAAG,CAAC,MAAM,EAAE,gCAAgC,CAAa,EAC7E,qBAAqB,CAAC,EAAE,+BAA+B,GACtD,OAAO,CAAC,oBAAoB,CAAC,CAyB/B;IAED,kBAAkB,CAAC,MAAM,EAAE,UAAU,GAAG,IAAI,CAG3C;IAEK,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CA4B3B;IAEK,oBAAoB,IAAI,OAAO,CAAC,IAAI,CAAC,CAiB1C;CAqqBF;AA2BD,OAAO,EAAE,cAAc,EAAE,CAAC"}

package/dist/host-process.js

@@ -16,16 +16,19 @@ export class HostProcessSandboxVm {
     #rootBlockStore;
     #rootBlockStoreContext;
     #requestHeaderHooks;
+    #networkConnectionHook;
+    #httpMiddlewareByFlow = new Map();
     #buffer = new Uint8Array();
     #stderr = "";
     #closed = false;
     #exitError = null;
     #stdinError = null;
-    constructor(child, options, requestHeaderHooks) {
+    constructor(child, options, requestHeaderHooks, networkConnectionHook) {
         this.#child = child;
         this.#options = options;
         this.packets = this.#packets;
         this.#requestHeaderHooks = requestHeaderHooks;
+        this.#networkConnectionHook = networkConnectionHook;
         this.#rootBlockStore = options.rootfs.storage?.blockStore;
         this.#rootBlockStoreContext = options.rootfs.storage?.context;
         for (const mount of options.mounts ?? []) {
@@ -62,14 +65,14 @@ export class HostProcessSandboxVm {
             this.#launchReady.close(this.#exitError);
         });
     }
-    static async spawn(options, hostOptions, requestHeaderHooks = new Map()) {
+    static async spawn(options, hostOptions, requestHeaderHooks = new Map(), networkConnectionHook) {
         let vm;
         const hostPath = hostBinaryPath();
         try {
             const child = spawn(hostPath, ["--stdio"], {
                 stdio: ["pipe", "pipe", "pipe"],
             });
-            vm = new HostProcessSandboxVm(child, options, requestHeaderHooks);
+            vm = new HostProcessSandboxVm(child, options, requestHeaderHooks, networkConnectionHook);
             await Promise.race([
                 once(child, "spawn"),
                 once(child, "error").then(([error]) => {
@@ -225,6 +228,8 @@ export class HostProcessSandboxVm {
             && type !== "host.vfs.removexattr"
             && type !== "host.http.requestHeaders"
             && type !== "host.http.activeRequestHeaderHooks"
+            && type !== "host.network.connection"
+            && type !== "host.network.closed"
             && type !== "host.block.list"
             && type !== "host.block.read"
             && type !== "host.block.write"
@@ -237,6 +242,12 @@ export class HostProcessSandboxVm {
         else if (type === "host.http.activeRequestHeaderHooks") {
             void this.#handleActiveRequestHeaderHooks(document);
         }
+        else if (type === "host.network.connection") {
+            void this.#handleNetworkConnection(document);
+        }
+        else if (type === "host.network.closed") {
+            this.#handleNetworkClosed(document);
+        }
         else if (type === "host.block.list"
             || type === "host.block.read"
             || type === "host.block.write"
@@ -248,6 +259,133 @@ export class HostProcessSandboxVm {
         }
         return true;
     }
+    async #handleNetworkConnection(document) {
+        const id = typeof document.id === "string" ? document.id : "";
+        try {
+            const transport = assertNetworkTransport(document.transport);
+            const protocol = optionalString(document.protocol, "protocol");
+            const srcIp = assertString(document.srcIp, "srcIp");
+            const srcPort = assertNumber(document.srcPort, "srcPort");
+            const dstIp = assertString(document.dstIp, "dstIp");
+            const dstPort = assertNumber(document.dstPort, "dstPort");
+            const hostname = optionalString(document.hostname, "hostname");
+            const src = createNetworkEndpoint(srcIp, srcPort);
+            const dst = createNetworkEndpoint(dstIp, dstPort);
+            const decision = { action: "deny" };
+            let httpMiddleware;
+            const accept = () => {
+                decision.action = "accept";
+                return {};
+            };
+            const connection = {
+                transport,
+                src,
+                dst,
+                accept,
+                matchDns(matcher) {
+                    if (protocol !== "dns") {
+                        return undefined;
+                    }
+                    const candidate = {
+                        src,
+                        dst,
+                        transport,
+                        accept,
+                    };
+                    return dnsMatcherMatches(matcher, candidate) ? candidate : undefined;
+                },
+                ...(transport === "tcp"
+                    ? {
+                        acceptHttp(middleware) {
+                            decision.action = "acceptHttp";
+                            httpMiddleware = middleware;
+                            return {};
+                        },
+                        matchTcp(matcher) {
+                            const candidate = {
+                                src,
+                                dst,
+                                accept,
+                            };
+                            return endpointMatcherMatches(matcher, candidate) ? candidate : undefined;
+                        },
+                        matchHttp(matcher) {
+                            if (hostname === undefined) {
+                                return undefined;
+                            }
+                            const candidate = {
+                                src,
+                                dst,
+                                hostname,
+                                port: dst.port,
+                                accept(middleware) {
+                                    decision.action = "acceptHttp";
+                                    httpMiddleware = middleware;
+                                    return {};
+                                },
+                            };
+                            return httpMatcherMatches(matcher, candidate) ? candidate : undefined;
+                        },
+                    }
+                    : {
+                        matchUdp(matcher) {
+                            const candidate = {
+                                src,
+                                dst,
+                                accept,
+                            };
+                            return endpointMatcherMatches(matcher, candidate) ? candidate : undefined;
+                        },
+                    }),
+            };
+            if (this.#networkConnectionHook?.active === true) {
+                await this.#networkConnectionHook.hook(connection);
+            }
+            if (decision.action === "acceptHttp") {
+                this.#httpMiddlewareByFlow.set(networkFlowKey(src, dst), httpMiddleware);
+            }
+            this.#tryWriteToHost(encodePacket({
+                type: "host.network.response",
+                id,
+                ok: true,
+                action: decision.action,
+            }));
+        }
+        catch (error) {
+            this.#tryWriteToHost(encodePacket({
+                type: "host.network.response",
+                id,
+                ok: false,
+                error: error instanceof Error ? error.message : String(error),
+            }));
+        }
+    }
+    #handleNetworkClosed(document) {
+        const id = typeof document.id === "string" ? document.id : "";
+        try {
+            const transport = assertNetworkTransport(document.transport);
+            const srcIp = assertString(document.srcIp, "srcIp");
+            const srcPort = assertNumber(document.srcPort, "srcPort");
+            const dstIp = assertString(document.dstIp, "dstIp");
+            const dstPort = assertNumber(document.dstPort, "dstPort");
+            if (transport === "tcp") {
+                this.#httpMiddlewareByFlow.delete(networkFlowKey(createNetworkEndpoint(srcIp, srcPort), createNetworkEndpoint(dstIp, dstPort)));
+            }
+            this.#tryWriteToHost(encodePacket({
+                type: "host.network.response",
+                id,
+                ok: true,
+            }));
+        }
+        catch (error) {
+            this.#tryWriteToHost(encodePacket({
+                type: "host.network.response",
+                id,
+                ok: false,
+                error: error instanceof Error ? error.message : String(error),
+            }));
+        }
+    }
     async #handleHttpRequestHeaders(document) {
         const id = typeof document.id === "string" ? document.id : "";
         try {
@@ -261,13 +399,15 @@ export class HostProcessSandboxVm {
                 method: assertString(document.method, "method"),
                 headers,
                 destination: {
+                    sourceIp: assertString(document.sourceIp, "sourceIp"),
+                    sourcePort: assertNumber(document.sourcePort, "sourcePort"),
                     originalIp: assertString(document.originalDestinationIp, "originalDestinationIp"),
                     originalPort: assertNumber(document.originalDestinationPort, "originalDestinationPort"),
-                    upstreamIp: assertString(document.upstreamDialIp, "upstreamDialIp"),
-                    upstreamPort: assertNumber(document.upstreamDialPort, "upstreamDialPort"),
+                    hostname: optionalString(document.originalDestinationHostname, "originalDestinationHostname"),
                 },
                 tls: optionalTlsMetadata(document.tls),
             };
+            await this.#httpMiddlewareByFlow.get(networkFlowKey(createNetworkEndpoint(request.destination.sourceIp, request.destination.sourcePort), createNetworkEndpoint(request.destination.originalIp, request.destination.originalPort)))?.(request);
             for (const hookId of hookIds) {
                 const registration = this.#requestHeaderHooks.get(hookId);
                 if (registration?.active === true) {
@@ -746,6 +886,170 @@ function assertProtocol(value) {
     }
     throw new Error("host request protocol must be http/1.1 or h2");
 }
+function assertNetworkTransport(value) {
+    if (value === "tcp" || value === "udp") {
+        return value;
+    }
+    throw new Error("host network request transport must be tcp or udp");
+}
+function createNetworkEndpoint(ip, port) {
+    return {
+        ip,
+        port,
+        isLoopback: () => isLoopbackIp(ip),
+        isPrivate: () => isPrivateIp(ip),
+        isLinkLocal: () => isLinkLocalIp(ip),
+        isMulticast: () => isMulticastIp(ip),
+        isBroadcast: () => ip === "255.255.255.255",
+        isDocumentation: () => isDocumentationIp(ip),
+        isReserved: () => isReservedIp(ip),
+        isPublicInternet: () => isPublicInternetIp(ip),
+    };
+}
+function dnsMatcherMatches(matcher, candidate) {
+    if (typeof matcher === "function") {
+        return matcher(candidate);
+    }
+    const spec = typeof matcher === "string" ? { ip: matcher, port: 53 } : matcher;
+    return candidate.dst.ip === spec.ip && candidate.dst.port === (spec.port ?? 53);
+}
+function endpointMatcherMatches(matcher, candidate) {
+    if (typeof matcher === "function") {
+        return matcher(candidate);
+    }
+    const endpoint = parseEndpointSpec(matcher);
+    return candidate.dst.ip === endpoint.ip && candidate.dst.port === endpoint.port;
+}
+function httpMatcherMatches(matcher, candidate) {
+    if (typeof matcher === "function") {
+        return matcher(candidate);
+    }
+    const authority = parseHttpAuthoritySpec(matcher);
+    return candidate.hostname === authority.hostname
+        && (authority.port === undefined || candidate.port === authority.port);
+}
+function parseEndpointSpec(spec) {
+    if (typeof spec !== "string") {
+        return spec;
+    }
+    const ipv6Match = /^\[(.*)]:(\d+)$/.exec(spec);
+    if (ipv6Match !== null) {
+        return { ip: ipv6Match[1] ?? "", port: Number(ipv6Match[2]) };
+    }
+    const separator = spec.lastIndexOf(":");
+    if (separator < 0) {
+        throw new Error("network endpoint spec must include a port");
+    }
+    return {
+        ip: spec.slice(0, separator),
+        port: Number(spec.slice(separator + 1)),
+    };
+}
+function parseHttpAuthoritySpec(spec) {
+    if (typeof spec !== "string") {
+        return spec;
+    }
+    const ipv6Match = /^\[(.*)](?::(\d+))?$/.exec(spec);
+    if (ipv6Match !== null) {
+        return {
+            hostname: ipv6Match[1] ?? "",
+            port: ipv6Match[2] === undefined ? undefined : Number(ipv6Match[2]),
+        };
+    }
+    const separator = spec.lastIndexOf(":");
+    if (separator > -1) {
+        const portText = spec.slice(separator + 1);
+        if (/^\d+$/.test(portText)) {
+            return {
+                hostname: spec.slice(0, separator),
+                port: Number(portText),
+            };
+        }
+    }
+    return { hostname: spec };
+}
+function networkFlowKey(src, dst) {
+    return `${src.ip}:${src.port}->${dst.ip}:${dst.port}`;
+}
+function isLoopbackIp(ip) {
+    const ipv4 = parseIpv4(ip);
+    if (ipv4 !== undefined) {
+        return ipv4[0] === 127;
+    }
+    return ip.toLowerCase() === "::1";
+}
+function isPrivateIp(ip) {
+    const ipv4 = parseIpv4(ip);
+    if (ipv4 !== undefined) {
+        return ipv4[0] === 10
+            || (ipv4[0] === 172 && ipv4[1] >= 16 && ipv4[1] <= 31)
+            || (ipv4[0] === 192 && ipv4[1] === 168);
+    }
+    const lower = ip.toLowerCase();
+    return lower.startsWith("fc") || lower.startsWith("fd");
+}
+function isLinkLocalIp(ip) {
+    const ipv4 = parseIpv4(ip);
+    if (ipv4 !== undefined) {
+        return ipv4[0] === 169 && ipv4[1] === 254;
+    }
+    return /^fe[89ab]/i.test(ip);
+}
+function isMulticastIp(ip) {
+    const ipv4 = parseIpv4(ip);
+    if (ipv4 !== undefined) {
+        return ipv4[0] >= 224 && ipv4[0] <= 239;
+    }
+    return ip.toLowerCase().startsWith("ff");
+}
+function isDocumentationIp(ip) {
+    const ipv4 = parseIpv4(ip);
+    if (ipv4 !== undefined) {
+        return (ipv4[0] === 192 && ipv4[1] === 0 && ipv4[2] === 2)
+            || (ipv4[0] === 198 && ipv4[1] === 51 && ipv4[2] === 100)
+            || (ipv4[0] === 203 && ipv4[1] === 0 && ipv4[2] === 113);
+    }
+    return ip.toLowerCase().startsWith("2001:db8:");
+}
+function isReservedIp(ip) {
+    const ipv4 = parseIpv4(ip);
+    if (ipv4 !== undefined) {
+        return ipv4[0] === 0
+            || (ipv4[0] === 100 && ipv4[1] >= 64 && ipv4[1] <= 127)
+            || (ipv4[0] === 192 && ipv4[1] === 0 && ipv4[2] === 0)
+            || (ipv4[0] === 192 && ipv4[1] === 88 && ipv4[2] === 99)
+            || (ipv4[0] === 198 && (ipv4[1] === 18 || ipv4[1] === 19))
+            || ipv4[0] >= 240
+            || isDocumentationIp(ip);
+    }
+    return ip.toLowerCase().startsWith("2001:db8:");
+}
+function isPublicInternetIp(ip) {
+    return parseIpv4(ip) !== undefined
+        && !isLoopbackIp(ip)
+        && !isPrivateIp(ip)
+        && !isLinkLocalIp(ip)
+        && !isMulticastIp(ip)
+        && !isReservedIp(ip)
+        && !isDocumentationIp(ip)
+        && ip !== "255.255.255.255";
+}
+function parseIpv4(ip) {
+    const parts = ip.split(".");
+    if (parts.length !== 4) {
+        return undefined;
+    }
+    const octets = parts.map((part) => {
+        if (!/^(0|[1-9][0-9]{0,2})$/.test(part)) {
+            return undefined;
+        }
+        const value = Number(part);
+        return value <= 255 ? value : undefined;
+    });
+    return octets.every((part) => part !== undefined)
+        ? octets
+        : undefined;
+}
 function optionalTlsMetadata(value) {
     if (value === undefined || value === null) {
         return undefined;
@@ -763,6 +1067,9 @@ function optionalTlsMetadata(value) {
             : assertString(document.alpn, "tls.alpn"),
     };
 }
+function optionalString(value, field) {
+    return value === undefined || value === null ? undefined : assertString(value, field);
+}
 function binaryField(value, field) {
     if (value instanceof Uint8Array) {
         return value;
@@ -925,6 +1232,7 @@ function encodeHostSpawn(options) {
         mounts: options.mounts ?? [],
         networkOutbound: options.network?.outbound,
         networkHttp: options.network?.http === undefined ? undefined : options.network.http,
+        networkPolicy: options.network?.policy === undefined ? undefined : options.network.policy,
     });
 }
 function encodePacket(document) {