NetworkGuard: block all network I/O in tests by default

[elijahr]

Summary

Add a low-level network guard that blocks all network I/O during tests by default, independent of bigfoot sandbox contexts. Any network call outside an explicit allow() context raises immediately.

Motivation

The boto3 plugin tests revealed that boto3.client() internally resolves the EC2 metadata endpoint (169.254.169.254) for credential discovery, which the DnsPlugin intercepts as an unmocked interaction. This class of bug (accidental real network calls in tests) should be caught at the lowest level, not just by individual plugin interceptors.

Proposed Design

• Patch socket.socket.connect, socket.getaddrinfo, and similar at the lowest level
• Any network call outside an explicit allow() context raises NetworkGuardError
• Enabled by default via pytest plugin, configurable via pyproject.toml ([tool.bigfoot] network_guard = true/false)
• Works outside bigfoot sandbox contexts (catches setup/teardown leaks too)
• Granular allows for test setup that genuinely needs network access

# Default: everything blocked
def test_something():
    with bigfoot:
        do_stuff()  # network calls raise NetworkGuardError

# Explicit allow for test setup that needs real network
from bigfoot.testing import allow_network

def test_with_real_network():
    with allow_network("dns", "http"):  # granular allows
        real_client = make_real_client()

    with bigfoot:
        do_stuff_with_client(real_client)

Open Questions

• Should allows be combinable? e.g. allow_network("dns", "http") vs separate context managers
• Should there be a fixture-based API as well? e.g. @pytest.mark.allow_network("dns")
• Should it detect and block non-socket network (e.g. subprocess calling curl)?
• Interaction with bigfoot plugins: should the guard defer to bigfoot's own interceptors when a sandbox is active, or layer on top?