Network Profiles
Named egress policy templates for common agent workloads.
Apply a named egress policy template instead of assembling rules by hand.
Network profiles are pre-built allow/deny lists for common
configurations. Pass networkProfile at sandbox creation to apply one
without assembling the rules yourself.
import { Isorun } from 'isorun'
const isorun = new Isorun()
// All available profiles:
const profiles = await isorun.networkProfiles()
console.log(profiles.map((p) => p.name))
// → ['unrestricted', 'locked-down', 'claude-code', 'openai', ...]Available profiles
| Profile | Description | Mode |
|---|---|---|
unrestricted | No filtering, sandbox can reach any host | Allow-all |
locked-down | Air-gapped, no external network at all | Deny-all |
claude-code | Anthropic API + PyPI + npm + GitHub + crates.io | Allow-list |
openai | OpenAI API + PyPI + npm + GitHub | Allow-list |
isorun.networkProfiles() returns the live catalogue from the runner,
new profiles show up there without an SDK update.
// Locked-down, sandbox can't reach anything outside the runner.
const a = await isorun.create({ image: 'python:3.12-slim', networkProfile: 'locked-down' })
try {
const r = await a.exec('curl -m 2 https://example.com')
console.log(r.exitCode !== 0) // true, blocked
} finally { await a.destroy() }
// claude-code profile, agent can reach Anthropic + package registries.
const b = await isorun.create({ image: 'python:3.12-slim', networkProfile: 'claude-code' })
try {
await b.exec('pip install anthropic') // works
const r = await b.exec('curl -m 2 https://random-site.com')
console.log(r.exitCode !== 0) // true
} finally { await b.destroy() }Mix with explicit allow/deny
networkProfile and the explicit network: { allow, deny } option are
mutually exclusive, pick one. If a profile is almost what you want,
list the rules directly and tweak.
You can't pass both networkProfile and network: { allow, deny } on the same create call. Choose one.
Profile internals
Profiles are server-side; the SDK just passes the name. The runtime enforcer blocks outbound traffic that does not match the profile allowlist. DNS and hostname checks are maintained alongside policy updates.
See Network Filtering for the raw allow/deny list shape and Endpoint Rules for per-method/per-path filtering.
Next steps
- Network filtering, the raw allow/deny rule shape.
- Endpoint rules, per-method and per-path controls.
- Credential injection, keep API keys out of the guest.