[FEATURE] Auto-deny unlisted domains in sandbox for autonomous agents
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
Problem Statement
When using permission_mode="bypassPermissions" for autonomous agent runs, unlisted network domains prompt for user input instead of auto-denying, which blocks autonomous operation.
Current Behavior
| Domain Status | Current Behavior | Impact on Autonomous Agents |
|--------------|------------------|----------------------------|
| In allowedDomains | ✅ Works without prompt | Good |
| Not in allowedDomains | ⚠️ Prompts user | Blocks indefinitely |
Example: An agent run accessing example.com shows this prompt and blocks:
Network request outside of sandbox
Host: example.com
Do you want to allow this connection?
❯ 1. Yes
2. Yes, and don't ask again for example.com
3. No, and tell Claude what to do differently (esc)
The agent cannot proceed until a human responds, defeating the purpose of autonomous operation.
Inconsistent Behavior
bypassPermissions has inconsistent behavior across tools:
| Tool/Feature | Allowed Operations | Denied Operations |
|--------------|-------------------|-------------------|
| Bash | No prompt | ✅ Auto-deny (works!) |
| Network | No prompt | ⚠️ Prompts (broken for autonomous) |
| Read/Write/Edit | No prompt | ❌ Ignored (separate issue) |
Bash deny rules auto-block without prompting, but network deny rules prompt.
Proposed Solution
Proposed Solution
Add a setting to auto-deny unlisted domains without prompting when sandbox is enabled:
Option 1: Extend bypassPermissions Behavior
Make bypassPermissions consistent across all tools:
- Allowed domains → work without prompt ✅
- Unlisted domains → auto-deny (fail silently, no prompt) ✅
- Same behavior as Bash deny rules
Option 2: New Sandbox Setting
Add an explicit setting in sandbox configuration:
{
"sandbox": {
"enabled": true,
"network": {
"allowedDomains": ["github.com", "api.internal.com"],
"denyUnlistedDomains": true // ← NEW: Auto-deny instead of prompt
}
}
}
Alternative Solutions
Current workaround limitations:
- Comprehensive allowlist: Must predict all domains agents might need upfront
- Monitor for prompts: If an agent hits an unlisted domain, the run hangs forever
- Can't use sandbox: Only alternative is disabling network protection entirely
Priority
Critical - Blocking my work
Feature Category
CLI commands and flags
Use Case Example
Use Case
Autonomous agent runs via TaskAPI:
- Agents run unattended in background (no human monitoring)
- Used for automated tasks: builds, deployments, investigations
- Require
permission_mode="bypassPermissions"to avoid prompts - Need network sandbox for security (prevent exfiltration to arbitrary domains)
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗