[FEATURE] Auto-deny unlisted domains in sandbox for autonomous agents

Resolved 💬 3 comments Opened Feb 27, 2026 by salehrastani Closed Mar 2, 2026

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

Problem Statement

When using permission_mode="bypassPermissions" for autonomous agent runs, unlisted network domains prompt for user input instead of auto-denying, which blocks autonomous operation.

Current Behavior

| Domain Status | Current Behavior | Impact on Autonomous Agents |
|--------------|------------------|----------------------------|
| In allowedDomains | ✅ Works without prompt | Good |
| Not in allowedDomains | ⚠️ Prompts user | Blocks indefinitely |

Example: An agent run accessing example.com shows this prompt and blocks:

Network request outside of sandbox

     Host: example.com

     Do you want to allow this connection?
     ❯ 1. Yes
       2. Yes, and don't ask again for example.com
       3. No, and tell Claude what to do differently (esc)

The agent cannot proceed until a human responds, defeating the purpose of autonomous operation.

Inconsistent Behavior

bypassPermissions has inconsistent behavior across tools:

| Tool/Feature | Allowed Operations | Denied Operations |
|--------------|-------------------|-------------------|
| Bash | No prompt | ✅ Auto-deny (works!) |
| Network | No prompt | ⚠️ Prompts (broken for autonomous) |
| Read/Write/Edit | No prompt | ❌ Ignored (separate issue) |

Bash deny rules auto-block without prompting, but network deny rules prompt.

Proposed Solution

Proposed Solution

Add a setting to auto-deny unlisted domains without prompting when sandbox is enabled:

Option 1: Extend bypassPermissions Behavior

Make bypassPermissions consistent across all tools:

  • Allowed domains → work without prompt ✅
  • Unlisted domains → auto-deny (fail silently, no prompt) ✅
  • Same behavior as Bash deny rules

Option 2: New Sandbox Setting

Add an explicit setting in sandbox configuration:

{
  "sandbox": {
    "enabled": true,
    "network": {
      "allowedDomains": ["github.com", "api.internal.com"],
      "denyUnlistedDomains": true  // ← NEW: Auto-deny instead of prompt
    }
  }
}

Alternative Solutions

Current workaround limitations:

  1. Comprehensive allowlist: Must predict all domains agents might need upfront
  2. Monitor for prompts: If an agent hits an unlisted domain, the run hangs forever
  3. Can't use sandbox: Only alternative is disabling network protection entirely

Priority

Critical - Blocking my work

Feature Category

CLI commands and flags

Use Case Example

Use Case

Autonomous agent runs via TaskAPI:

  • Agents run unattended in background (no human monitoring)
  • Used for automated tasks: builds, deployments, investigations
  • Require permission_mode="bypassPermissions" to avoid prompts
  • Need network sandbox for security (prevent exfiltration to arbitrary domains)

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗