Monitor and Allowlist¶

You need at least one active session before using these commands — start one with vibepit run if you have not already.

Open the monitor¶

Launch the interactive monitor to inspect proxy traffic in real time:

vibepit monitor

The monitor displays a live stream of proxy log entries. Each line shows a timestamp, source (HTTP or DNS), domain, port (for HTTP entries), and whether the request was allowed or blocked:

+ — request was allowed by an existing rule.
x — request was blocked.

Allow domains from the monitor¶

You can add allowlist entries directly from the monitor without leaving the TUI:

Navigate to a blocked entry using the arrow keys.
Press a to allow the domain for the current session only.
Press A (shift) to allow the domain and save it to your project configuration for future sessions.

After allowing, the entry marker changes to reflect its new status, and the footer confirms the action.

Add HTTP(S) allowlist entries¶

Grant the sandbox access to an HTTP or HTTPS endpoint with allow-http. Each entry takes the form domain:port-pattern:

vibepit allow-http api.example.com:443

The port is required

Every allow-http entry needs a port pattern. vibepit allow-http example.com will be rejected — use example.com:443 for HTTPS, example.com:80 for HTTP, or example.com:* for any port.

You can add multiple entries in a single command:

vibepit allow-http api.example.com:443 registry.npmjs.org:443

Wildcard domains¶

* matches exactly one subdomain label. ** matches one or more labels:

Pattern	Matches	Does not match
`*.example.com:443`	`api.example.com:443`	`example.com:443`, `a.b.example.com:443`
`**.example.com:443`	`api.example.com:443`, `a.b.example.com:443`	`example.com:443`
`bedrock.*.amazonaws.com:443`	`bedrock.us-east-1.amazonaws.com:443`	`bedrock.a.b.amazonaws.com:443`

To allow both the apex and all subdomains, add two entries:

vibepit allow-http example.com:443 "**.example.com:443"

Port patterns¶

Pattern	Effect
`443`	Matches port 443 only
`*`	Matches any port

Add DNS allowlist entries¶

Allow the sandbox to resolve a domain name with allow-dns. Entries are domain patterns without a port:

vibepit allow-dns internal.example.com

Multiple entries work the same way:

vibepit allow-dns internal.example.com api.example.com

Wildcard semantics are identical to HTTP entries: *.example.com matches exactly one subdomain label, **.example.com matches one or more labels. Neither matches the apex domain.

Skip saving to config¶

By default, every entry you add is persisted to your project configuration file (.vibepit/network.yaml) so it applies to future sessions automatically. To add an entry for the current session only, pass --no-save:

vibepit allow-http --no-save staging.example.com:443
vibepit allow-dns --no-save staging.example.com

Target a specific session¶

When you have a single running session, allow-http, allow-dns, and monitor connect to it automatically. If multiple sessions are running, specify which one with --session:

vibepit monitor --session <session-id>
vibepit allow-http --session <session-id> api.example.com:443
vibepit allow-dns --session <session-id> internal.example.com

Retrieve session IDs with:

vibepit sessions

When multiple sessions exist and you omit --session, an interactive selector appears so you can choose the target session.

See the CLI Reference for full flag details on all commands.