printToolInstallAllowance prints a multi-line description of the package-host allowlist opened for this sandbox: a one-liner summary followed by every host on its own indented line so the user can see exactly what holes the run punched in the default- deny network policy. Silent when the kit isn't b
(w io.Writer, kitResult *kit.Result)
| 521 | // warning line names each unresolved toolset so the user can spot |
| 522 | // why the allowlist is wider than expected. |
| 523 | func printToolInstallAllowance(w io.Writer, kitResult *kit.Result) { |
| 524 | if kitResult == nil || !kitResult.NeedsToolInstall { |
| 525 | return |
| 526 | } |
| 527 | fmt.Fprintf(w, "Tool install: agent has at least one MCP/LSP toolset, allowlisting %d package host(s) in the sandbox proxy:\n", |
| 528 | len(kitResult.ToolInstallHosts)) |
| 529 | for _, h := range kitResult.ToolInstallHosts { |
| 530 | fmt.Fprintf(w, " - %s\n", h) |
| 531 | } |
| 532 | for _, e := range kitResult.ToolInstallHostsResolutionErr { |
| 533 | fmt.Fprintf(w, " ! %s (using fallback host set)\n", e.Error()) |
| 534 | } |
| 535 | if len(kitResult.ToolInstallHostsResolutionErr) > 0 { |
| 536 | fmt.Fprintln(w, " hint: persist a missing host with `docker agent sandbox allow <host>`") |
| 537 | } |
| 538 | } |
| 539 | |
| 540 | // printAgentNetworkAllowlist prints the host(s) the agent's config |
| 541 | // asked us to add to the sandbox proxy. Surfacing them next to the |