Network Sandbox Management
Overview
Claude Code sandbox restricts network access by default. This skill documents:
- •Which commands need sandbox bypass
- •Current allowlist configuration
- •Troubleshooting connection errors
Allowed Domains (settings.json)
Current allowlist in .claude/settings.json:
| Domain | Purpose |
|---|---|
| jsr.io, *.jsr.io | JSR package registry |
| deno.land, *.deno.land | Deno standard library |
| github.com | Git remote operations |
| api.github.com | GitHub CLI (gh) |
Commands Requiring Sandbox Bypass
Even with allowlist, some commands may need dangerouslyDisableSandbox: true:
Git Network Commands
typescript
// Required for: push, pull, fetch, clone
Bash({
command: "git push -u origin branch-name",
dangerouslyDisableSandbox: true,
});
GitHub CLI
typescript
// Required for all gh commands
Bash({
command: "gh pr create --base develop --head feature-branch",
dangerouslyDisableSandbox: true,
});
Deno with External Packages
typescript
// Required when JSR/deno.land fetch fails in sandbox
Bash({
command: "deno task ci",
dangerouslyDisableSandbox: true,
});
Claude Agent SDK (breakdownlogger-agent)
typescript
// Required for API calls to api.anthropic.com
Bash({
command: "echo '...' | deno run breakdownlogger-agent.ts",
dangerouslyDisableSandbox: true,
});
Commands NOT Requiring Bypass
Local-only operations work in sandbox:
- •
git status,git add,git commit - •
git log,git diff,git branch - •
git checkout,git merge(local) - •
deno fmt,deno lint(cached deps) - •
deno test(cached deps)
Troubleshooting
Connection Timeout / Retry
code
fatal: unable to access 'https://github.com/...': Could not resolve host: github.com
Cause: Sandbox blocking network access Solution: Add
dangerouslyDisableSandbox: true
JSR Package Load Failed
code
error: JSR package manifest for '@std/path' failed to load. Import 'https://jsr.io/@std/path/meta.json' failed.
Cause: Sandbox blocking JSR access Solutions:
- •Verify jsr.io in allowedDomains (should already be there)
- •Use
dangerouslyDisableSandbox: trueif still failing
Transient Network Errors
Connection may fail intermittently due to:
- •Network latency
- •DNS resolution delays
- •Rate limiting
Strategy: Retry the command (usually succeeds on second attempt)
typescript
// Retry pattern for network commands
Bash({
command:
"git push origin branch-name || sleep 2 && git push origin branch-name",
dangerouslyDisableSandbox: true,
});
Adding New Domains
To allow new external domains, edit .claude/settings.json:
json
{
"sandbox": {
"network": {
"allowedDomains": [
"existing-domain.com",
"new-domain.com"
]
}
}
}
Note: Wildcards supported (e.g., *.example.com)
Quick Reference
| Situation | Action |
|---|---|
| git push/pull/fetch/clone | dangerouslyDisableSandbox: true |
| gh (any command) | dangerouslyDisableSandbox: true |
| deno task ci (fresh deps) | dangerouslyDisableSandbox: true |
| deno task ci (cached) | Sandbox OK |
| Claude API calls | dangerouslyDisableSandbox: true |
| Connection error | Retry with sandbox bypass |
Related Skills
- •CI execution:
/local-ci - •CI errors:
/ci-troubleshooting - •Release flow:
/release-procedure