Endpoint Rules

Endpoint rules narrow what the host credential proxy is willing to forward. The base feature (Credential Injection) lets the agent talk to a named service through the proxy. Endpoint rules add method + path controls on top, so the agent's OPENAI_API_KEY can only call POST /v1/chat/completions, not DELETE /v1/admin/*.

Wire shape (credentials_v2)

{
  "image": "python:3.12-slim",
  "credentials_v2": {
    "openai": {
      "key": "sk-real-openai-key",
      "endpoints": [
        { "methods": ["POST"], "paths": ["/v1/chat/completions"] },
        { "methods": ["GET"],  "paths": ["/v1/models"] }
      ]
    }
  }
}

A request through the credential proxy is forwarded only if its (method, path) matches one of the entries. Anything else is rejected at the proxy with a 4xx.

Rule fields

Common policies

Read-only GitHub access

{
  "credentials_v2": {
    "github": {
      "key": "ghp_...",
      "endpoints": [
        { "methods": ["GET"], "paths": ["/repos/*"] },
        { "methods": ["GET"], "paths": ["/user"] }
      ]
    }
  }
}

LLM inference only

{
  "credentials_v2": {
    "openai": {
      "key": "sk-...",
      "endpoints": [
        { "methods": ["POST"], "paths": ["/v1/chat/completions"] },
        { "methods": ["POST"], "paths": ["/v1/embeddings"] },
        { "methods": ["GET"],  "paths": ["/v1/models"] }
      ]
    }
  }
}

Combination model

A request must pass both filters:

1. The sandbox's network policy (allow-list / deny-list / named profile) has to permit the destination host.
2. Each (method, path) has to match an endpoint rule for the credential that authenticates it.

Use this alongside Network Profiles for reusable policy baselines.

Next steps

• Credential injection, the base proxy these rules narrow.
• Network profiles, reusable host-level egress baselines.
• Audit trail, proxied requests are logged without the credential.