Skip to main content
A box is isolated in filesystem and process, but by default its network is open — it can reach anything your host can. egress on a recipe changes that. As a scalar it is open (the default) or none; as a map it routes all of the box’s egress through the dabs proxy engine, which enforces a host allow/deny gate and an optional chain of hooks.
Screens verified by walkthroughs/test_egress.py. The proxy engine runs on bun (host-side); egress: none needs nothing extra.

Cut it off

A box with egress: none has no network at all — it cannot even resolve a name:

Gate it by host

An allow list (or deny) is a CONNECT gate: an allowed host reaches, anything else is refused before a byte leaves the box.

Route it through a hook

An http_proxy chain hands the box’s traffic to code you write. tls: terminate opens the encrypted stream, a module: hook sees — and may rewrite — every chunk, and tls: originate re-encrypts it to the real destination.
A hook that discards the upstream body and emits its own line — proof the box’s fetch passed through your code:
This is the mechanism behind a credential broker: instead of rewriting the whole body, a real hook swaps a dummy token for the real one on the way out and scrubs the real token back out of every response, so the box holds only the dummy. See the confined-claude recipe and contrib/proxy/creds-inject-anthropic/broker.ts in the dabs repo, and the egress field in the recipe schema.