diff --git a/docs/agents/amp.mdx b/docs/agents/amp.mdx
index 197b7081..728c803b 100644
--- a/docs/agents/amp.mdx
+++ b/docs/agents/amp.mdx
@@ -22,7 +22,11 @@ amp
## Run headless
-Use `-x` for non-interactive mode and `--dangerously-allow-all` to auto-approve all tool calls (safe inside E2B sandboxes). Amp uses its own API key from [ampcode.com/settings](https://ampcode.com/settings).
+Use `-x` for non-interactive mode and `--dangerously-allow-all` to auto-approve all tool calls. The sandbox isolates the agent from your host machine, but sandboxes can reach the open internet by default — restrict outbound traffic with [network rules](/docs/network/internet-access). Amp uses its own API key from [ampcode.com/settings](https://ampcode.com/settings).
+
+
+Auto-approving tool calls is contained by the sandbox: the agent cannot touch your host machine, local files, or credentials. It can still make outbound network requests — internet access is enabled by default. To limit where an auto-approved agent can connect, configure [outbound network rules](/docs/network/internet-access) (`allowInternetAccess`, plus allow/deny lists by CIDR or hostname). Hostname rules apply to HTTP(S) traffic only; use CIDR rules for other protocols.
+
```typescript JavaScript & TypeScript
diff --git a/docs/agents/claude-code.mdx b/docs/agents/claude-code.mdx
index 68c3423a..d401fe36 100644
--- a/docs/agents/claude-code.mdx
+++ b/docs/agents/claude-code.mdx
@@ -22,7 +22,11 @@ claude
## Run headless
-Use `-p` for non-interactive mode and `--dangerously-skip-permissions` to auto-approve all tool calls (safe inside E2B sandboxes).
+Use `-p` for non-interactive mode and `--dangerously-skip-permissions` to auto-approve all tool calls. The sandbox isolates the agent from your host machine, but sandboxes can reach the open internet by default — restrict outbound traffic with [network rules](/docs/network/internet-access) if the agent processes untrusted input or handles secrets.
+
+
+Auto-approving tool calls is contained by the sandbox: the agent cannot touch your host machine, local files, or credentials. It can still make outbound network requests — internet access is enabled by default. To limit where an auto-approved agent can connect, configure [outbound network rules](/docs/network/internet-access) (`allowInternetAccess`, plus allow/deny lists by CIDR or hostname). Hostname rules apply to HTTP(S) traffic only; use CIDR rules for other protocols.
+
```typescript JavaScript & TypeScript
diff --git a/docs/agents/codex.mdx b/docs/agents/codex.mdx
index 7b6f854f..f51b1b26 100644
--- a/docs/agents/codex.mdx
+++ b/docs/agents/codex.mdx
@@ -22,7 +22,11 @@ codex
## Run headless
-Use `codex exec` for non-interactive mode and `--full-auto` to auto-approve tool calls (safe inside E2B sandboxes). Pass `--skip-git-repo-check` to bypass git directory ownership checks inside the sandbox. Pass `CODEX_API_KEY` as an environment variable.
+Use `codex exec` for non-interactive mode and `--full-auto` to auto-approve tool calls. The sandbox isolates the agent from your host machine, but sandboxes can reach the open internet by default — restrict outbound traffic with [network rules](/docs/network/internet-access). Pass `--skip-git-repo-check` to bypass git directory ownership checks inside the sandbox. Pass `CODEX_API_KEY` as an environment variable.
+
+
+Auto-approving tool calls is contained by the sandbox: the agent cannot touch your host machine, local files, or credentials. It can still make outbound network requests — internet access is enabled by default. To limit where an auto-approved agent can connect, configure [outbound network rules](/docs/network/internet-access) (`allowInternetAccess`, plus allow/deny lists by CIDR or hostname). Hostname rules apply to HTTP(S) traffic only; use CIDR rules for other protocols.
+
```typescript JavaScript & TypeScript
diff --git a/docs/agents/devin.mdx b/docs/agents/devin.mdx
index aeab69b8..180fc9fe 100644
--- a/docs/agents/devin.mdx
+++ b/docs/agents/devin.mdx
@@ -25,6 +25,10 @@ source /home/user/.bashrc
After installation and login, use `devin -p` for non-interactive mode and `--permission-mode dangerous` to auto-approve tool calls.
+
+Auto-approving tool calls is contained by the sandbox: the agent cannot touch your host machine, local files, or credentials. It can still make outbound network requests — internet access is enabled by default. To limit where an auto-approved agent can connect, configure [outbound network rules](/docs/network/internet-access) (`allowInternetAccess`, plus allow/deny lists by CIDR or hostname). Hostname rules apply to HTTP(S) traffic only; use CIDR rules for other protocols.
+
+
```bash
mkdir -p /home/user/project
cd /home/user/project
diff --git a/docs/agents/grok.mdx b/docs/agents/grok.mdx
index e5c9437a..9eb8fbb4 100644
--- a/docs/agents/grok.mdx
+++ b/docs/agents/grok.mdx
@@ -22,7 +22,11 @@ grok
## Run headless
-Use `-p` for non-interactive mode and `--always-approve` to auto-approve all tool calls (safe inside E2B sandboxes). Grok Build authenticates with an API key from the [xAI console](https://console.x.ai) via the `XAI_API_KEY` environment variable.
+Use `-p` for non-interactive mode and `--always-approve` to auto-approve all tool calls. The sandbox isolates the agent from your host machine, but sandboxes can reach the open internet by default — restrict outbound traffic with [network rules](/docs/network/internet-access). Grok Build authenticates with an API key from the [xAI console](https://console.x.ai) via the `XAI_API_KEY` environment variable.
+
+
+Auto-approving tool calls is contained by the sandbox: the agent cannot touch your host machine, local files, or credentials. It can still make outbound network requests — internet access is enabled by default. To limit where an auto-approved agent can connect, configure [outbound network rules](/docs/network/internet-access) (`allowInternetAccess`, plus allow/deny lists by CIDR or hostname). Hostname rules apply to HTTP(S) traffic only; use CIDR rules for other protocols.
+
```typescript JavaScript & TypeScript