docs: document sandbox-scoped kit network policies

Kit network policy docs did not cover sandbox-scoped rules or kit-level deniedDomains.

Update the Sandboxes policy and kits pages with scoped policy examples, deniedDomains guidance, and a small policy page formatting fix.

Co-Authored-By: Codex <noreply@openai.com>

data/sbx_cli/sbx_policy_allow_network.yaml

@@ -6,8 +6,15 @@ description: |-
     RESOURCES is a comma-separated list of hostnames, domains, or IP addresses.
     Supports exact domains (example.com), wildcard subdomains (*.example.com),
     and optional port suffixes (example.com:443). Use "**" to allow all hosts.
-usage: sbx policy allow network RESOURCES [flags]
+
+    Use -g/--global to apply the rule globally to all sandboxes, or provide
+    SANDBOX before RESOURCES to scope the rule to a specific sandbox.
+usage: sbx policy allow network [-g | SANDBOX] RESOURCES [flags]
 options:
+    - name: global
+      shorthand: g
+      default_value: "false"
+      usage: Apply the rule globally to all sandboxes
     - name: help
       shorthand: h
       default_value: "false"
@@ -18,16 +25,19 @@ inherited_options:
       default_value: "false"
       usage: Enable debug logging
 example: |4-
-      # Allow access to a single host
-      sbx policy allow network api.example.com
+      # Allow access to a single host globally
+      sbx policy allow network -g api.example.com
 
-      # Allow access to multiple hosts
-      sbx policy allow network "api.example.com,cdn.example.com"
+      # Allow access to multiple hosts globally
+      sbx policy allow network -g "api.example.com,cdn.example.com"
+
+      # Allow a host only for a specific sandbox
+      sbx policy allow network my-sandbox api.example.com
 
       # Allow all subdomains of a host
-      sbx policy allow network "*.npmjs.org"
+      sbx policy allow network -g "*.npmjs.org"
 
-      # Allow all outbound traffic
-      sbx policy allow network "**"
+      # Allow all outbound traffic globally
+      sbx policy allow network -g "**"
 see_also:
     - sbx policy allow - Add an allow policy for sandboxes

data/sbx_cli/sbx_policy_deny_network.yaml

@@ -5,8 +5,15 @@ description: |-
 
     RESOURCES is a comma-separated list of hostnames, domains, or IP addresses.
     Deny rules always take precedence over allow rules.
-usage: sbx policy deny network RESOURCES [flags]
+
+    Use -g/--global to apply the rule globally to all sandboxes, or provide
+    SANDBOX before RESOURCES to scope the rule to a specific sandbox.
+usage: sbx policy deny network [-g | SANDBOX] RESOURCES [flags]
 options:
+    - name: global
+      shorthand: g
+      default_value: "false"
+      usage: Apply the rule globally to all sandboxes
     - name: help
       shorthand: h
       default_value: "false"
@@ -17,10 +24,13 @@ inherited_options:
       default_value: "false"
       usage: Enable debug logging
 example: |4-
-      # Block access to a host
-      sbx policy deny network ads.example.com
+      # Block access to a host globally
+      sbx policy deny network -g ads.example.com
 
-      # Block all outbound traffic
-      sbx policy deny network "**"
+      # Block a host only for a specific sandbox
+      sbx policy deny network my-sandbox ads.example.com
+
+      # Block all outbound traffic globally
+      sbx policy deny network -g "**"
 see_also:
     - sbx policy deny - Add a deny policy for sandboxes

data/sbx_cli/sbx_policy_ls.yaml

@@ -5,7 +5,10 @@ description: |-
 
     Displays the policy name (or ID if no name is set), type, decision
     (allow/deny), and the associated resources for each rule.
-usage: sbx policy ls [flags]
+
+    When SANDBOX is specified, only policies that apply to that sandbox are shown
+    (global rules plus rules scoped to that sandbox).
+usage: sbx policy ls [SANDBOX] [flags]
 options:
     - name: help
       shorthand: h
@@ -25,5 +28,8 @@ example: |4-
 
       # List only network policies
       sbx policy ls --type network
+
+      # List policies that apply to a specific sandbox
+      sbx policy ls my-sandbox
 see_also:
     - sbx policy - Manage sandbox policies

data/sbx_cli/sbx_policy_rm_network.yaml

@@ -3,9 +3,16 @@ synopsis: Remove a network policy
 description: |-
     Remove a network policy by rule ID, resource, or both.
 
+    Use -g/--global to remove from the global policy, or provide SANDBOX to
+    remove from a sandbox-scoped policy.
+
     Use "sbx policy ls" to see active policies and their IDs/resources.
-usage: sbx policy rm network [flags]
+usage: sbx policy rm network [-g | SANDBOX] [flags]
 options:
+    - name: global
+      shorthand: g
+      default_value: "false"
+      usage: Remove from the global policy
     - name: help
       shorthand: h
       default_value: "false"
@@ -23,13 +30,13 @@ example: |4-
       # List policies to find the ID or resource to remove
       sbx policy ls
 
-      # Remove a rule by resource
-      sbx policy rm network --resource api.example.com
+      # Remove a global rule by resource
+      sbx policy rm network -g --resource api.example.com
 
-      # Remove a rule by ID
-      sbx policy rm network --id 2d3c1f0e-4a73-4e05-bc9d-f2f9a4b50d67
+      # Remove a global rule by ID
+      sbx policy rm network -g --id 2d3c1f0e-4a73-4e05-bc9d-f2f9a4b50d67
 
-      # Remove by ID and resource using one filter
-      sbx policy rm network --id 2d3c1f0e-4a73-4e05-bc9d-f2f9a4b50d67 --resource "api.example.com,cdn.example.com"
+      # Remove a sandbox-scoped rule by resource
+      sbx policy rm network my-sandbox --resource api.example.com
 see_also:
     - sbx policy rm - Remove a policy

data/sbx_cli/sbx_policy_set-default.yaml

@@ -33,6 +33,6 @@ example: |4-
 
       # Block everything, then allow specific sites
       sbx policy set-default deny-all
-      sbx policy allow network api.example.com:443
+      sbx policy allow network -g api.example.com:443
 see_also:
     - sbx policy - Manage sandbox policies