sandboxes: document accessing host services via host.docker.internal

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: dvdksn

content/manuals/ai/sandboxes/troubleshooting.md

@@ -34,6 +34,12 @@ To allow all outbound traffic instead:
 $ sbx policy allow network "**"
 ```
 
+## Can't reach a service running on the host
+
+If a request to `127.0.0.1` or a local network IP returns "connection refused"
+from inside a sandbox, the address is not routable from within the sandbox VM.
+See [Accessing host services from a sandbox](usage.md#accessing-host-services-from-a-sandbox).
+
 ## Docker authentication failure
 
 If you see a message like `You are not authenticated to Docker`, your login

content/manuals/ai/sandboxes/usage.md

@@ -298,6 +298,26 @@ A few things to keep in mind:
   must use `--unpublish 8080:3000`. Run `sbx ports my-sandbox` first if you
   used an ephemeral port and need to find the assigned host port.
 
+## Accessing host services from a sandbox
+
+Services running on your host are reachable from inside a sandbox using the
+hostname `host.docker.internal`.
+Use this instead of `127.0.0.1` or your machine's local network IP address,
+which are not routable from inside the sandbox.
+
+You must also add `host.docker.internal` to your network policy allowlist:
+
+```console
+$ sbx policy allow network host.docker.internal
+```
+
+Then use `host.docker.internal` in any configuration or request that points at
+the host service. For example, to verify connectivity from a sandbox shell:
+
+```console
+$ curl http://host.docker.internal:11434
+```
+
 ## What persists
 
 While a sandbox exists, installed packages, Docker images, configuration