Network Sandboxing gives you a simple way to keep agent internet access scoped to what your project actually needs.
In Project Settings → Network Access, you can choose how strict to be:
- No access: Block all external domains. Only internal Superconductor domains and the agent's own provider API are allowed.
- Custom access (default): Allow only the domains you choose, plus optional trusted package registries.
- Full access: Allow all domains (use with caution).
If you select No access or Custom access, you can also whitelist domains in the moment, directly from chat, when an agent gets blocked. If an agent tries to reach a domain that isn’t allowed, you’ll see a “Network sandbox blocked access to domain” warning, and you can choose to:
- Continue blocking
- Allow for project (persist as a project rule)
- Allow for this ticket (scoped to just that implementation)
This gives teams a practical default: start secure, then open access intentionally as real work demands it.
Check out the full configuration details in our docs: Network sandboxing. Questions? Feedback? Let us know!
