sbx: note that org policy overrides kit network rules#25231
Merged
Conversation
Kit-defined network rules (allowedDomains/deniedDomains) are ignored when organization governance is active, since only org rules are evaluated. This wasn't documented anywhere. Add an IMPORTANT callout in the kit "Control network access" section and extend the governance precedence section to account for kit rules. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
docker-agent
reviewed
Jun 2, 2026
docker-agent
left a comment
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
Small, well-scoped documentation PR that fills a genuine gap: kit-defined network rules being silently ignored when organization governance is active.
Changes reviewed:
customize/kits.md: Adds a correctly-formatted[!IMPORTANT]callout with accurate information and a valid cross-link to the precedence section.governance/concepts.md: Expands both precedence bullets to mention kit-defined network rules alongside local rules — internally consistent and accurate.
No style guide violations, no markdown issues, no missing redirects, no AI-isms detected. The PR is clean.
usha-mandya
approved these changes
Jun 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Documents a gap in the Docker Sandboxes (
sbx) docs: network rules defined in a kit (allowedDomains/deniedDomains) don't apply when organization governance is active. In that case only organization rules are evaluated, so kit-defined allows and denies are ignored — including domains a kit allows for the agent to reach. This precedence behavior wasn't documented anywhere.Changes:
customize/kits.md— Add an[!IMPORTANT]callout in the "Control network access" section (where a kit author defines network rules) explaining that org governance takes precedence, with a link to Policy precedence.governance/concepts.md— The "Precedence" section previously mentioned only local rules. Both bullets now account for kit-defined network rules: they apply alongside local rules when there's no org governance, and are not evaluated (showninactiveinsbx policy ls) when org governance is active.Related issues
n/a
🤖 Generated with Claude Code