feat: add unauthenticated_routes to sandbox API#2205
Closed
Conversation
Add `unauthenticated_routes: Vec<String>` field to sandboxes, allowing
the sandbox proxy to permit unauthenticated access to specific path
prefixes. Also fixes the internal sandbox lookup endpoint to return
metadata for non-running sandboxes (no longer 404s when no container is
assigned), and adds a new global endpoint
`GET /internal/v1/sandboxes/{sandbox_id}` for namespace-agnostic lookup.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ilbum
changed the title
Wire unauthenticated_routes through the pool stack so sandboxes spawned from a pool inherit the setting. Follows the same pattern as network_policy. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Benaiah
approved these changes
Mar 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
unauthenticated_routes: Vec<String>to theSandboxdata model,CreateSandboxRequest, andSandboxInforesponse. Path prefixes in this list allow unauthenticated access through the sandbox proxy; empty meansall access requires auth.
GET /internal/v1/namespaces/{namespace}/sandboxes/{sandbox_id}to return sandbox metadata regardless of status — previously it returned 404 for sandboxes that hadn't been assigned a container yet, breaking proxyauth checks for pending sandboxes.
GET /internal/v1/sandboxes/{sandbox_id}for namespace-agnostic sandbox lookup (used by the proxy, which doesn't always know the namespace).No migration needed
#[serde(default)]onVec<String>deserializes as empty for all existing sandbox records.Contribution Checklist
just fmtto format the code.