We must have some way of passing credentials outside of the VM layer in order to avoid exfiltration attacks.
Vercel released credential brokering for HTTP(S) egress by intercepting and transforming the request.
Their approach is:
- Per-sandbox ephemeral ECDSA CA cert (24h TTL), injected into system trust store
- Env vars set for all common clients (NODE_EXTRA_CA_CERTS, SSL_CERT_FILE, REQUESTS_CA_BUNDLE, CURL_CA_BUNDLE, PIP_CERT, etc.)
- Selective TLS MITM — only domains with transform rules get terminated; all other traffic passes through untouched
Proposed SDK API:
const sandbox = await Sandbox.create('template-id', {
network: {
denyOut: [ALL_TRAFFIC],
allowOut: ['api.openai.com', '*.github.com'],
egressTransform: {
'api.openai.com': {
headers: { Authorization: `Bearer ${process.env.OPENAI_API_KEY}` },
},
'*.github.com': {
headers: { Authorization: `Bearer ${process.env.GITHUB_TOKEN}` },
},
},
},
});Changes Required to e2b/infra (AI Slop)
- New TLS MITM proxy handler in
packages/orchestrator/internal/tcpfirewall/ — intercept TLS for transform domains, generate leaf certs on-the-fly, parse HTTP, inject/overwrite headers, forward. Wire it into domainHandler in handlers.go as an alternate path when transform rules exist on the matched domain.
- Per-sandbox CA generation in orchestrator sandbox lifecycle — ECDSA P-256 keypair + self-signed CA cert at creation time. Write cert to sandbox filesystem and set env vars
(NODE_EXTRA_CA_CERTS, SSL_CERT_FILE, REQUESTS_CA_BUNDLE, CURL_CA_BUNDLE, PIP_CERT, GIT_SSL_CAINFO, AWS_CA_BUNDLE, CARGO_HTTP_CAINFO, GRPC_DEFAULT_SSL_ROOTS_FILE_PATH) via packages/envd/.
- Config plumbing — add
egressTransform (domain → headers map) to the network config protobuf/gRPC defs, thread it through packages/api/internal/handlers/sandbox_create.go →
packages/api/internal/orchestrator/create_instance.go → orchestrator sandbox config → tcpfirewall handlers.
- Leaf cert cache — in-memory LRU keyed by SNI hostname per sandbox, so repeated requests to the same domain don't regenerate certs.
- SDK — add egressTransform option to SandboxNetworkOpts in JS (packages/js-sdk/src/sandbox/sandboxApi.ts) and Python (packages/python-sdk/e2b/sandbox/sandbox_api.py).
Gondolin
FWIW I saw this first in Gondolin. Gondolin explicitly injects a placeholder into the sandbox ENV gondolin_* that gets find-and-replaced via the MITM.
I think this is better because
- If agent decides to change the env var - it is respected while Vercel's approach overrides regardless
- The env var name is is ENV so validators won't throw like
if not os.environ["OPENAI_API_KEY"]: raise ...
We must have some way of passing credentials outside of the VM layer in order to avoid exfiltration attacks.
Vercel released credential brokering for HTTP(S) egress by intercepting and transforming the request.
Their approach is:
Proposed SDK API:
Changes Required to e2b/infra (AI Slop)
packages/orchestrator/internal/tcpfirewall/— intercept TLS for transform domains, generate leaf certs on-the-fly, parse HTTP, inject/overwrite headers, forward. Wire it intodomainHandlerinhandlers.goas an alternate path when transform rules exist on the matched domain.(
NODE_EXTRA_CA_CERTS,SSL_CERT_FILE,REQUESTS_CA_BUNDLE,CURL_CA_BUNDLE,PIP_CERT,GIT_SSL_CAINFO,AWS_CA_BUNDLE,CARGO_HTTP_CAINFO,GRPC_DEFAULT_SSL_ROOTS_FILE_PATH) viapackages/envd/.egressTransform(domain → headers map) to the network config protobuf/gRPC defs, thread it throughpackages/api/internal/handlers/sandbox_create.go→packages/api/internal/orchestrator/create_instance.go→ orchestrator sandbox config →tcpfirewallhandlers.Gondolin
FWIW I saw this first in Gondolin. Gondolin explicitly injects a placeholder into the sandbox ENV
gondolin_*that gets find-and-replaced via the MITM.I think this is better because