feat(array): sandbox environments (#42497)

Author: joshsny

products/tasks/backend/constants.py

@@ -1,3 +1,193 @@
+DEFAULT_TRUSTED_DOMAINS = [
+    # PostHog Services
+    "posthog.com",
+    "us.posthog.com",
+    "eu.posthog.com",
+    # Version Control
+    "github.com",
+    "www.github.com",
+    "api.github.com",
+    "raw.githubusercontent.com",
+    "objects.githubusercontent.com",
+    "codeload.github.com",
+    "avatars.githubusercontent.com",
+    "camo.githubusercontent.com",
+    "gist.github.com",
+    "gitlab.com",
+    "www.gitlab.com",
+    "registry.gitlab.com",
+    "bitbucket.org",
+    "www.bitbucket.org",
+    "api.bitbucket.org",
+    # Container Registries
+    "registry-1.docker.io",
+    "auth.docker.io",
+    "index.docker.io",
+    "hub.docker.com",
+    "www.docker.com",
+    "production.cloudflare.docker.com",
+    "download.docker.com",
+    "*.gcr.io",
+    "ghcr.io",
+    "mcr.microsoft.com",
+    "*.data.mcr.microsoft.com",
+    # Cloud Platforms
+    "cloud.google.com",
+    "accounts.google.com",
+    "gcloud.google.com",
+    "*.googleapis.com",
+    "storage.googleapis.com",
+    "compute.googleapis.com",
+    "container.googleapis.com",
+    "azure.com",
+    "portal.azure.com",
+    "microsoft.com",
+    "www.microsoft.com",
+    "*.microsoftonline.com",
+    "packages.microsoft.com",
+    "dotnet.microsoft.com",
+    "dot.net",
+    "visualstudio.com",
+    "dev.azure.com",
+    "oracle.com",
+    "www.oracle.com",
+    "java.com",
+    "www.java.com",
+    "java.net",
+    "www.java.net",
+    "download.oracle.com",
+    "yum.oracle.com",
+    # Package Managers - JavaScript/Node
+    "registry.npmjs.org",
+    "www.npmjs.com",
+    "www.npmjs.org",
+    "npmjs.com",
+    "npmjs.org",
+    "yarnpkg.com",
+    "registry.yarnpkg.com",
+    # Package Managers - Python
+    "pypi.org",
+    "www.pypi.org",
+    "files.pythonhosted.org",
+    "pythonhosted.org",
+    "test.pypi.org",
+    "pypi.python.org",
+    "pypa.io",
+    "www.pypa.io",
+    # Package Managers - Ruby
+    "rubygems.org",
+    "www.rubygems.org",
+    "api.rubygems.org",
+    "index.rubygems.org",
+    "ruby-lang.org",
+    "www.ruby-lang.org",
+    "rubyforge.org",
+    "www.rubyforge.org",
+    "rubyonrails.org",
+    "www.rubyonrails.org",
+    "rvm.io",
+    "get.rvm.io",
+    # Package Managers - Rust
+    "crates.io",
+    "www.crates.io",
+    "static.crates.io",
+    "rustup.rs",
+    "static.rust-lang.org",
+    "www.rust-lang.org",
+    # Package Managers - Go
+    "proxy.golang.org",
+    "sum.golang.org",
+    "index.golang.org",
+    "golang.org",
+    "www.golang.org",
+    "goproxy.io",
+    "pkg.go.dev",
+    # Package Managers - JVM
+    "maven.org",
+    "repo.maven.org",
+    "central.maven.org",
+    "repo1.maven.org",
+    "jcenter.bintray.com",
+    "gradle.org",
+    "www.gradle.org",
+    "services.gradle.org",
+    "spring.io",
+    "repo.spring.io",
+    # Package Managers - Other Languages
+    "packagist.org",
+    "www.packagist.org",
+    "repo.packagist.org",
+    "nuget.org",
+    "www.nuget.org",
+    "api.nuget.org",
+    "pub.dev",
+    "api.pub.dev",
+    "hex.pm",
+    "www.hex.pm",
+    "cpan.org",
+    "www.cpan.org",
+    "metacpan.org",
+    "www.metacpan.org",
+    "api.metacpan.org",
+    "cocoapods.org",
+    "www.cocoapods.org",
+    "cdn.cocoapods.org",
+    "haskell.org",
+    "www.haskell.org",
+    "hackage.haskell.org",
+    "swift.org",
+    "www.swift.org",
+    # Linux Distributions
+    "archive.ubuntu.com",
+    "security.ubuntu.com",
+    "ubuntu.com",
+    "www.ubuntu.com",
+    "*.ubuntu.com",
+    "ppa.launchpad.net",
+    "launchpad.net",
+    "www.launchpad.net",
+    # Development Tools & Platforms
+    "dl.k8s.io",
+    "pkgs.k8s.io",
+    "k8s.io",
+    "www.k8s.io",
+    "releases.hashicorp.com",
+    "apt.releases.hashicorp.com",
+    "rpm.releases.hashicorp.com",
+    "archive.releases.hashicorp.com",
+    "hashicorp.com",
+    "www.hashicorp.com",
+    "repo.anaconda.com",
+    "conda.anaconda.org",
+    "anaconda.org",
+    "www.anaconda.com",
+    "anaconda.com",
+    "continuum.io",
+    "apache.org",
+    "www.apache.org",
+    "archive.apache.org",
+    "downloads.apache.org",
+    "eclipse.org",
+    "www.eclipse.org",
+    "download.eclipse.org",
+    "nodejs.org",
+    "www.nodejs.org",
+    # Cloud Services & Monitoring
+    "statsig.com",
+    "www.statsig.com",
+    "api.statsig.com",
+    "*.sentry.io",
+    # Content Delivery & Mirrors
+    "*.sourceforge.net",
+    "packagecloud.io",
+    "*.packagecloud.io",
+    # Schema & Configuration
+    "json-schema.org",
+    "www.json-schema.org",
+    "json.schemastore.org",
+    "www.schemastore.org",
+]
+
 SETUP_REPOSITORY_PROMPT = """
 Your goal is to setup the repository in the current environment.
 

products/tasks/backend/migrations/0020_sandbox_environment.py

@@ -0,0 +1,95 @@
+# Generated by Django 4.2.26 on 2025-12-02 16:12
+
+import django.db.models.deletion
+import django.contrib.postgres.fields
+from django.conf import settings
+from django.db import migrations, models
+
+import posthog.models.utils
+import posthog.helpers.encrypted_fields
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ("posthog", "0925_team_business_model"),
+        ("tasks", "0019_remove_taskrun_log_storage_path"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="SandboxEnvironment",
+            fields=[
+                (
+                    "id",
+                    models.UUIDField(
+                        default=posthog.models.utils.uuid7, editable=False, primary_key=True, serialize=False
+                    ),
+                ),
+                ("name", models.CharField(max_length=255)),
+                (
+                    "network_access_level",
+                    models.CharField(
+                        choices=[("trusted", "Trusted"), ("full", "Full"), ("custom", "Custom")],
+                        default="full",
+                        max_length=20,
+                    ),
+                ),
+                (
+                    "allowed_domains",
+                    django.contrib.postgres.fields.ArrayField(
+                        base_field=models.CharField(max_length=255),
+                        blank=True,
+                        default=list,
+                        help_text="List of allowed domains for custom network access",
+                        size=None,
+                    ),
+                ),
+                (
+                    "include_default_domains",
+                    models.BooleanField(
+                        default=False, help_text="Whether to include default trusted domains (GitHub, npm, PyPI)"
+                    ),
+                ),
+                (
+                    "repositories",
+                    django.contrib.postgres.fields.ArrayField(
+                        base_field=models.CharField(max_length=255),
+                        blank=True,
+                        default=list,
+                        help_text="List of repositories this environment applies to (format: org/repo)",
+                        size=None,
+                    ),
+                ),
+                (
+                    "environment_variables",
+                    posthog.helpers.encrypted_fields.EncryptedJSONStringField(
+                        blank=True,
+                        default=dict,
+                        help_text="Encrypted environment variables for sandbox execution",
+                        null=True,
+                    ),
+                ),
+                (
+                    "private",
+                    models.BooleanField(
+                        default=True,
+                        help_text="If true, only the creator can see this environment. Otherwise visible to whole team.",
+                    ),
+                ),
+                ("created_at", models.DateTimeField(auto_now_add=True)),
+                ("updated_at", models.DateTimeField(auto_now=True)),
+                (
+                    "created_by",
+                    models.ForeignKey(
+                        blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, to=settings.AUTH_USER_MODEL
+                    ),
+                ),
+                ("team", models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to="posthog.team")),
+            ],
+            options={
+                "db_table": "posthog_sandbox_environment",
+                "indexes": [models.Index(fields=["team", "created_by"], name="posthog_san_team_id_817c0d_idx")],
+            },
+        ),
+    ]

products/tasks/backend/migrations/max_migration.txt

@@ -1 +1 @@
-0019_remove_taskrun_log_storage_path
+0020_sandbox_environment