docs(sandboxes): document deniedDomains in kit network spec reference

dvdksn · claude · dvdksn · commit 3cfcefc477f7 · 2026-05-12T09:20:47.000+02:00
The deniedDomains field was missing from the network spec table despite
being a supported field. Deny rules take precedence over allow rules,
including those contributed by other composed kits.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/content/manuals/ai/sandboxes/customize/kits.md b/content/manuals/ai/sandboxes/customize/kits.md
@@ -551,6 +551,7 @@ missing or the field is absent.
 ```yaml
 network:
   allowedDomains: [<domain>, ...]
+  deniedDomains: [<domain>, ...]
   serviceDomains:
     <domain>: <service-id>
   serviceAuth:
@@ -559,12 +560,13 @@ network:
       valueFormat: <format>
 ```
 
-| Field                     | Description                                                      |
-| ------------------------- | ---------------------------------------------------------------- |
-| `allowedDomains`          | Domains the sandbox can reach. Wildcards supported.              |
-| `serviceDomains`          | Map of domain to service identifier from `credentials.sources`.  |
-| `serviceAuth.headerName`  | HTTP header the proxy sets (for example, `Authorization`).       |
-| `serviceAuth.valueFormat` | Format string for the header value (for example, `"Bearer %s"`). |
+| Field                     | Description                                                                                                                          |
+| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
+| `allowedDomains`          | Domains the sandbox can reach. Wildcards supported.                                                                                  |
+| `deniedDomains`           | Domains the sandbox is blocked from reaching. Deny rules take precedence over allow rules, including those from other composed kits. |
+| `serviceDomains`          | Map of domain to service identifier from `credentials.sources`.                                                                      |
+| `serviceAuth.headerName`  | HTTP header the proxy sets (for example, `Authorization`).                                                                           |
+| `serviceAuth.valueFormat` | Format string for the header value (for example, `"Bearer %s"`).                                                                     |
 
 ### Environment
 
