fix: proxy host filtering and credential resolution for sandboxed

[lukehinds]

profiles

Sandbox profiles had no network_profile set, so the proxy started with an empty host allowlist and blocked all traffic. Credential keys were hardcoded per-provider instead of defaulting to the service name.

• Set network_profile on all sandbox profiles in policy.json
• Consolidate duplicate network profiles into single "developer" profile
• Default credential_key to service name (keychain account matches credential)
• Remove hardcoded credential_key from all built-in credential definitions
• Expand --proxy-allow group names to their constituent hosts
• Downgrade missing Proxy-Authorization to debug (Node.js undici omits it)
• Make CONNECT auth non-fatal since host filtering is the real security

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly refines the network proxy and credential management within sandboxed environments. It addresses issues where sandbox profiles lacked proper network configurations, leading to blocked traffic, and streamlines credential resolution by defaulting keys to service names. Additionally, it enhances the flexibility of proxy allowlists and makes CONNECT proxy authentication more robust by tolerating missing authorization headers from certain clients, ultimately improving the reliability and usability of network interactions for sandboxed operations.

Highlights

• Enhanced Sandbox Network Access: Sandbox profiles now correctly utilize the "developer" network profile, ensuring proper proxy host filtering and preventing blocked traffic.
• Streamlined Network Profiles: Duplicate network profiles, specifically "opencode" and "claude-code", have been consolidated into a single "developer" profile for improved maintainability.
• Flexible Credential Resolution: Credential keys now default to the service name if not explicitly defined, simplifying credential management and removing hardcoded values from built-in credential definitions.
• Improved Proxy Allowlist Expansion: The --proxy-allow flag now correctly expands group names into their constituent hosts and suffixes, providing more granular control over allowed network destinations.
• Tolerant CONNECT Authentication: Missing Proxy-Authorization headers for CONNECT requests are now logged as debug messages and do not block traffic, accommodating clients like Node.js undici that may omit this header.

Changelog

• crates/nono-cli/data/network-policy.json
  • Removed opencode and claude-code network profiles.
  • Removed explicit credential_key fields from openai, anthropic, gemini, and google-ai credentials.
• crates/nono-cli/data/policy.json
  • Added network_profile: "developer" to the network configuration of claude-code, opencode, opencode-vscode, gemini-code, gemini-code-vscode, anthropic-code, and anthropic-code-vscode sandbox profiles.
• crates/nono-cli/src/main.rs
  • Introduced a call to network_policy::expand_proxy_allow to process --proxy-allow flags before building the proxy configuration.
• crates/nono-cli/src/network_policy.rs
  • Modified CredentialDef to make credential_key an Option<String> with a default value.
  • Updated resolve_credentials to default credential_key to the service name if not specified.
  • Added a new public function expand_proxy_allow to expand group names in proxy allowlists.
  • Renamed test_resolve_claude_code_profile to test_resolve_developer_profile and updated the profile name used in the test.
• crates/nono-proxy/src/connect.rs
  • Changed handle_connect to conditionally validate Proxy-Authorization and log errors at debug level, making it non-fatal for CONNECT requests.
• crates/nono-proxy/src/token.rs
  • Changed the log level for missing Proxy-Authorization header from warn to debug.

Activity

• No human activity has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request enhances proxy functionality for sandboxed profiles by ensuring network profiles are set, consolidating duplicated network profiles, improving credential resolution through defaulting credential_key to the service name, and expanding --proxy-allow group names. However, a critical security concern has been identified: making CONNECT authentication non-fatal introduces a high-severity authentication bypass. This change weakens the proxy's security model by allowing unauthorized local processes to utilize the proxy tunnel without proper session token validation. Additionally, a suggestion has been made to reduce code duplication.

[gemini-code-assist]

The logic for converting a suffix to a wildcard pattern is also present in the build_proxy_config function (lines 245-251). To improve maintainability and reduce duplication, I've extracted it into a private helper function suffix_to_wildcard.

This change makes expand_proxy_allow cleaner. You could consider updating build_proxy_config to use this new helper function in a follow-up change to fully eliminate the code duplication.

/// Expand `--proxy-allow` entries: if an entry matches a group name in the
/// network policy, expand it to the group's hosts and suffixes. Otherwise
/// treat it as a literal hostname.
pub fn expand_proxy_allow(policy: &NetworkPolicy, entries: &[String]) -> Vec<String> {
    let mut result = Vec::new();
    for entry in entries {
        if let Some(group) = policy.groups.get(entry.as_str()) {
            result.extend(group.hosts.clone());
            for suffix in &group.suffixes {
                result.push(suffix_to_wildcard(suffix));
            }
        } else {
            result.push(entry.clone());
        }
    }
    result
}

/// Converts a suffix string to a wildcard pattern.
fn suffix_to_wildcard(suffix: &str) -> String {
    if suffix.starts_with('.') {
        format!("*{}