Allow optional sandbox ingress traffic auth

[sitole]

• Adds ability to specify allowPublicAccess: false during sandbox creation and access token needed for sbx traffic.
• Configuration is persisted when sandbox is resumed.
• Envd port is always allowed as there is different auth mechanism for it.
• Sandbox traffic token can be re-constructed from master hash key and sandbox id so we dont need to store in db.

---

Note

Adds optional private sandbox ingress that requires a per-sandbox traffic access token, enforced by the proxy, with API/proto updates and tests.

• API/Schema:
  • Add allowPublicTraffic to SandboxNetworkConfig and expose trafficAccessToken on Sandbox responses.
  • Regenerate OpenAPI spec and generated types.
• Handlers:
  • On create, build network.ingress and validate: disallow non-public traffic unless secure (envd) is enabled; generate EnvdAccessToken via new generator.
  • On get, use new generator for envd token when secure.
• Token generation:
  • Replace EnvdAccessTokenGenerator with unified AccessTokenGenerator supporting GenerateEnvdAccessToken and GenerateTrafficAccessToken.
  • Wire generator through APIStore and Orchestrator.
• Orchestrator:
  • Extend network config with ingress.traffic_access_token (proto + generated pb).
  • Produce trafficAccessToken when AllowPublicAccess is false; pass through to runtime sandbox and network config.
  • Node manager maps ingress to AllowPublicAccess.
• Proxy:
  • Enforce x-e2b-traffic-access-token for sandboxes with private ingress; add specific errors and browser-friendly HTML templates for missing/invalid token.
  • Improve error handling types.
• DB types:
  • Add SandboxNetworkIngressConfig and ingress to SandboxNetworkConfig (persisted for pause/resume).
• Tests:
  • Add integration tests for traffic token enforcement (missing/invalid/valid) and sandbox-not-found page.
  • Add test asserting 400 when disabling public traffic without secure envd flag.

^{Written by Cursor Bugbot for commit c6889f7. This will update automatically on new commits. Configure here.}

[linear]

ENG-3294 Ingress header based auth

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[sitole]

Changes added, only unresolved thing now is #1474 (comment). @jakubno