docs: update CORS documentation for inspector defaults

docs/cli.mdx

@@ -19,10 +19,11 @@ sandbox-agent server [OPTIONS]
 | `-n, --no-token` | - | Disable authentication (local dev only) |
 | `-H, --host <HOST>` | `127.0.0.1` | Host to bind to |
 | `-p, --port <PORT>` | `2468` | Port to bind to |
-| `-O, --cors-allow-origin <ORIGIN>` | - | CORS allowed origin (repeatable) |
-| `-M, --cors-allow-method <METHOD>` | - | CORS allowed method (repeatable) |
-| `-A, --cors-allow-header <HEADER>` | - | CORS allowed header (repeatable) |
+| `-O, --cors-allow-origin <ORIGIN>` | - | Additional CORS origin (repeatable, cumulative with Inspector) |
+| `-M, --cors-allow-method <METHOD>` | all | CORS allowed method (repeatable) |
+| `-A, --cors-allow-header <HEADER>` | all | CORS allowed header (repeatable) |
 | `-C, --cors-allow-credentials` | - | Enable CORS credentials |
+| `--no-inspector-cors` | - | Disable default Inspector CORS |
 | `--no-telemetry` | - | Disable anonymous telemetry |
 
 ```bash

docs/cors.mdx

@@ -5,48 +5,66 @@ sidebarTitle: "CORS"
 icon: "globe"
 ---
 
-When calling the Sandbox Agent server from a browser, you need to enable CORS (Cross-Origin Resource Sharing) explicitly.
+When calling the Sandbox Agent server from a browser, CORS (Cross-Origin Resource Sharing) controls which origins can make requests.
 
-## Basic Configuration
+## Default Behavior
+
+By default, the server allows CORS requests from the [Inspector](https://inspect.sandboxagent.dev):
 
 ```bash
+# Inspector CORS is enabled by default
+sandbox-agent server --token "$SANDBOX_TOKEN"
+```
+
+This allows you to use the hosted Inspector to connect to any running Sandbox Agent server without additional configuration.
+
+## Adding Origins
+
+Use `--cors-allow-origin` to allow additional origins. These are **cumulative** with the default Inspector origin:
+
+```bash
+# Allows both Inspector AND localhost:5173
 sandbox-agent server \
   --token "$SANDBOX_TOKEN" \
-  --cors-allow-origin "http://localhost:5173" \
-  --cors-allow-method "GET" \
-  --cors-allow-method "POST" \
-  --cors-allow-header "Authorization" \
-  --cors-allow-header "Content-Type" \
-  --cors-allow-credentials
+  --cors-allow-origin "http://localhost:5173"
 ```
 
 ## Options
 
 | Flag | Description |
 |------|-------------|
-| `--cors-allow-origin` | Origins allowed to make requests (e.g., `http://localhost:5173`) |
-| `--cors-allow-method` | HTTP methods to allow (can be specified multiple times) |
-| `--cors-allow-header` | Headers to allow (can be specified multiple times) |
+| `--cors-allow-origin` | Additional origins to allow (cumulative with Inspector) |
+| `--cors-allow-method` | HTTP methods to allow (defaults to all if not specified) |
+| `--cors-allow-header` | Headers to allow (defaults to all if not specified) |
 | `--cors-allow-credentials` | Allow credentials (cookies, authorization headers) |
+| `--no-inspector-cors` | Disable the default Inspector origin |
+
+## Disabling Inspector CORS
+
+To disable the default Inspector origin and only allow explicitly specified origins:
+
+```bash
+# Only allows localhost:5173, not Inspector
+sandbox-agent server \
+  --token "$SANDBOX_TOKEN" \
+  --no-inspector-cors \
+  --cors-allow-origin "http://localhost:5173"
+```
 
 ## Multiple Origins
 
-You can allow multiple origins by specifying the flag multiple times:
+Specify the flag multiple times to allow multiple origins:
 
 ```bash
 sandbox-agent server \
   --token "$SANDBOX_TOKEN" \
   --cors-allow-origin "http://localhost:5173" \
-  --cors-allow-origin "http://localhost:3000" \
-  --cors-allow-method "GET" \
-  --cors-allow-method "POST" \
-  --cors-allow-header "Authorization" \
-  --cors-allow-header "Content-Type"
+  --cors-allow-origin "http://localhost:3000"
 ```
 
-## Production
+## Restricting Methods and Headers
 
-In production, replace `localhost` origins with your actual domain:
+By default, all methods and headers are allowed. To restrict them:
 
 ```bash
 sandbox-agent server \

docs/deploy/daytona.mdx

@@ -3,9 +3,9 @@ title: "Daytona"
 description: "Run the daemon in a Daytona workspace."
 ---
 
-<Note>
-Daytona has [network egress limits](https://www.daytona.io/docs/en/network-limits/) on lower tiers. OpenAI and Anthropic APIs are whitelisted on all tiers, but other external services may be restricted on Tier 1 & 2.
-</Note>
+<Warning>
+Daytona Tier 3+ is required to access api.anthropic.com and api.openai.com. Tier 1/2 sandboxes have restricted network access that will cause agent failures. See [Daytona network limits](https://www.daytona.io/docs/en/network-limits/) for details.
+</Warning>
 
 ## Prerequisites
 
@@ -15,7 +15,7 @@ Daytona has [network egress limits](https://www.daytona.io/docs/en/network-limit
 ## TypeScript Example
 
 ```typescript
-import { Daytona, Image } from "@daytonaio/sdk";
+import { Daytona } from "@daytonaio/sdk";
 import { SandboxAgent } from "sandbox-agent";
 
 const daytona = new Daytona();

docs/deploy/docker.mdx

@@ -15,14 +15,18 @@ Run sandbox-agent in a container with agents pre-installed:
 docker run --rm -p 3000:3000 \
   -e ANTHROPIC_API_KEY="$ANTHROPIC_API_KEY" \
   -e OPENAI_API_KEY="$OPENAI_API_KEY" \
-  debian:bookworm-slim bash -lc "\
-    apt-get update && apt-get install -y curl ca-certificates && \
+  alpine:latest sh -c "\
+    apk add --no-cache curl ca-certificates libstdc++ libgcc bash && \
     curl -fsSL https://releases.rivet.dev/sandbox-agent/latest/install.sh | sh && \
     sandbox-agent install-agent claude && \
     sandbox-agent install-agent codex && \
     sandbox-agent server --no-token --host 0.0.0.0 --port 3000"
 ```
 
+<Note>
+Alpine is required because Claude Code is built for musl libc. Debian/Ubuntu images use glibc and won't work.
+</Note>
+
 Access the API at `http://localhost:3000`.
 
 ## TypeScript with dockerode
@@ -35,14 +39,18 @@ const docker = new Docker();
 const PORT = 3000;
 
 const container = await docker.createContainer({
-  Image: "debian:bookworm-slim",
-  Cmd: ["bash", "-lc", [
-    "apt-get update && apt-get install -y curl ca-certificates",
+  Image: "alpine:latest",
+  Cmd: ["sh", "-c", [
+    "apk add --no-cache curl ca-certificates libstdc++ libgcc bash",
     "curl -fsSL https://releases.rivet.dev/sandbox-agent/latest/install.sh | sh",
     "sandbox-agent install-agent claude",
     "sandbox-agent install-agent codex",
     `sandbox-agent server --no-token --host 0.0.0.0 --port ${PORT}`,
   ].join(" && ")],
+  Env: [
+    `ANTHROPIC_API_KEY=${process.env.ANTHROPIC_API_KEY}`,
+    `OPENAI_API_KEY=${process.env.OPENAI_API_KEY}`,
+  ].filter(Boolean),
   ExposedPorts: { [`${PORT}/tcp`]: {} },
   HostConfig: {
     AutoRemove: true,

docs/deploy/e2b.mdx

@@ -19,7 +19,7 @@ const envs: Record<string, string> = {};
 if (process.env.ANTHROPIC_API_KEY) envs.ANTHROPIC_API_KEY = process.env.ANTHROPIC_API_KEY;
 if (process.env.OPENAI_API_KEY) envs.OPENAI_API_KEY = process.env.OPENAI_API_KEY;
 
-const sandbox = await Sandbox.create({ envs });
+const sandbox = await Sandbox.create({ allowInternetAccess: true, envs });
 
 // Install sandbox-agent
 await sandbox.commands.run(