snowclaw network

SPCS denies all outbound traffic by default. snowclaw network manages the allowlist of external hosts that your service is permitted to reach, and applies them as Snowflake network rules and external access integrations.

State lives in .snowclaw/network-rules.json (committed to git). Two modes:

Allowlist (default, safe) — only detected/approved hosts are permitted.
Allow-all (opt-in, behind a red-warning confirm) — 0.0.0.0:443 / 0.0.0.0:80 permit everything, preserving your saved allowlist so you can switch back.

list

snowclaw network list

Shows the saved allowlist and the current egress mode. Reads from .snowclaw/network-rules.json.

add

snowclaw network add api.example.com
snowclaw network add api.example.com:443

Adds a host (optionally with a port) to the saved allowlist and prompts to apply changes to Snowflake immediately.

In allow-all mode, the rule is persisted but the CLI prints a yellow note that it won't take effect until you run restrict.

remove

snowclaw network remove api.example.com

Removes a host from the saved allowlist and prompts to apply.

detect

snowclaw network detect

Auto-detects required rules from your openclaw.json — scans provider base URLs, channel hosts (slack.com, api.telegram.org, etc.), and tool hostnames. Always includes *.snowflakecomputing.com:443 for Cortex.

Shows a diff against your current saved list and optionally saves + applies the detected rules.

snowclaw deploy runs detect + diff automatically in allowlist mode.

apply

snowclaw network apply

Pushes the currently saved allowlist (or the allow-all rule, depending on mode) to Snowflake. Runs via REST API.

The network rule and external access integration are created once, then altered on subsequent applies (ALTER NETWORK RULE … SET VALUE_LIST = (…)). That means changes take effect without redeploying the SPCS service — the rule object identity is preserved so the EAI binding stays valid.

allow-all

snowclaw network allow-all

Switches to unrestricted-egress mode. Applies VALUE_LIST = ('0.0.0.0:443', '0.0.0.0:80') — Snowflake's documented catch-all pattern, which only supports ports 443 and 80.

Behind a red warning panel + explicit confirm (defaults to "No"). Your saved allowlist is preserved so restrict restores it.

restrict

snowclaw network restrict

Disables allow-all and re-applies your saved allowlist. One-command way back to safety.

Previousls / upload / download

Nextsnowclaw channel