Default-deny egress. Per-host allow rules with method + path filters. Bearer, Basic, and OAuth secrets injected on the wire, never inside the workload.
Designed for AI agents, code-review bots, and anything running code you didn't write.
No traffic leaves a VM unless an explicit rule matches host, method, and path. POST-with-body APIs (GraphQL, ElasticSearch) filtered at the right layer, not just by HTTP verb.
Register a Bearer, Basic, or OAuth credential once. The proxy injects it on matching requests and strips the workload's placeholder. Your AWS keys, LLM tokens, and GitHub PATs never touch the VM.
Open egress wide while arkade get pulls dependencies, then tighten to one upstream before the agent runs. Rules reload live, no VM restart, no daemon bounce.
Three nouns: client, secret, and allow rule. CLI, REST, Go and TypeScript SDKs all expose the same surface.
# 1. start the proxy on the host
slicer proxy up --hostgroup lab --bind 192.168.222.1
# 2. mint a client + adopt a credential
TOKEN=$(slicer proxy client create bot)
slicer proxy secret create llama \
--host api.example \
--value-file ~/llama.txt
# 3. grant narrow access (host + method + path + secret)
slicer proxy allow bot \
--host api.example \
--secret llama \
--method POST \
--path /v1/chat/completions
# 4. workload uses HTTPS_PROXY; never sees the real bearer
slicer vm exec my-vm \
--env HTTPS_PROXY=http://:$TOKEN@192.168.222.1:3128 \
-- curl https://api.example/v1/chat/completions ...Available on every paid plan. Run an agent against an LLM, clone a repo from a stranger, or sandbox a bot, knowing exactly what it can and can't reach.