AileronControlPlane

ADR-0022: v4 Tiered Network Policy

StatusProposed
Date2026-06-01
Tracking#896, #747

Context

Sandboxed agents need network access for package managers, public APIs, LLM providers, and credentialed tools. Treating all egress the same either over-permits credential use or blocks normal development workflows.

Decision

The v4 network model is tiered:

  • Credentialed HTTPS traffic goes through the Aileron data plane, where policy, approval, credential injection, and audit occur.
  • Uncredentialed public egress may be allowed directly by default and audited at the session/network layer.
  • Private ranges and host-sensitive addresses should be denied by default unless explicitly opened by a documented runtime policy.
  • Regulated deployments can move to default-deny plus allowlist without changing the composition tiers.

The first #796 runtime cut does not enforce this full policy. It establishes container execution and daemon-facing shims. The policy becomes load-bearing when #896 adds proxy/session CA bootstrap.

Consequences

Users need clear launch-time messaging about what sandbox mode isolates today and which network controls are not yet active.

Proxy-mediated credential use must be distinguishable in audit from ordinary direct egress.

Runtime validation should catch missing proxy/CA support before the agent starts when a session requires credentialed network mediation.

Alternatives Considered

Deny all network by default. Stronger but too restrictive for developer agents unless allowlist UX is already mature.

Allow all network and rely on shims only. Too weak for credential-sealing because third-party CLIs can bypass generated shims.

References