The Real Story Of NetworkGuard: Block All Network I/O

NetworkGuard enforces a hard stop: every network I/O call during tests is blocked unless explicitly permitted. Recent boto3 plugin tests uncovered accidental EC2 metadata calls (169.254.169.254) intercepted by the DnsPlugin - bugs that slip past individual interceptors but not at the system level. Blocking all network access by default prevents data leaks in setup and teardown, especially in automated test environments where sandboxes often leave stray connections. nnThis design flips the script: instead of relying solely on individual plugin hooks, NetworkGuard patches core network primitives like socket.connect and getaddrinfo, raising a NetworkGuardError on any unapproved I/O. Configured via [tool.bigfoot] network_guard = true, it activates by default - no opt-in required, no exception. Even outside bigfoot’s sandbox, network calls fail immediately. nnBut here’s the twist: does it handle granularity? Yes. Testers can still allow specific domains - try `allow_network(