Networking and storage
Networking
Section titled “Networking”Local runtime networking is policy-shaped. Examples should start from deny-by-default and add only the destinations or ports the workload needs.
Port forwarding is an explicit operation. Treat service exposure as part of the workload contract: name the guest port, host binding, protocol, and expected readiness behavior.
File operations cross the host/guest boundary and need path checks. SDK examples should avoid broad host mounts and should explain whether data is copied, mounted, generated during build, or persisted in a volume.
Volumes
Section titled “Volumes”Volumes are stateful. They need explicit lifecycle, ownership, encryption-at-rest posture, and cleanup semantics.
Snapshots and cold mode
Section titled “Snapshots and cold mode”Snapshots preserve machine state. They can contain sensitive data, process memory, generated files, and credentials that were present in the guest. Restore flows must name backend support and integrity evidence.