diff --git a/spec/openapi.infra.yaml b/spec/openapi.infra.yaml
index f5c8960ed..9b7157faa 100644
--- a/spec/openapi.infra.yaml
+++ b/spec/openapi.infra.yaml
@@ -282,6 +282,36 @@ components:
         maskRequestHost:
           type: string
           description: Specify host mask which will be used for all sandbox requests
+        rules:
+          type: object
+          description: >
+            Per-domain transform rules applied to matching egress HTTP/HTTPS requests.
+            Keys are domains (e.g. "api.example.com", "example.com").
+            A domain listed here is not automatically allowed - use allowOut to permit the traffic.
+          additionalProperties:
+            type: array
+            items:
+              $ref: '#/components/schemas/SandboxNetworkRule'
+
+    SandboxNetworkRule:
+      type: object
+      description: Transform rule applied to egress requests matching a domain pattern.
+      properties:
+        transform:
+          $ref: '#/components/schemas/SandboxNetworkTransform'
+
+    SandboxNetworkTransform:
+      type: object
+      description: Transformations applied to matching egress requests before forwarding.
+      properties:
+        headers:
+          type: object
+          description: >
+            HTTP headers to inject or override in matching requests.
+            An existing header with the same name is replaced. Values are plain strings;
+            secret resolution happens client-side before sending to the API.
+          additionalProperties:
+            type: string
 
     SandboxAutoResumeEnabled:
       type: boolean
@@ -2372,7 +2402,7 @@ paths:
 
   /sandboxes/{sandboxID}/network:
     put:
-      description: Update the network configuration for a running sandbox. Replaces the current egress rules with the provided configuration. Omitting both fields clears all egress rules.
+      description: Update the network configuration for a running sandbox. Replaces the current egress rules with the provided configuration. Omitting field clears it.
       security:
         - ApiKeyAuth: []
         - Supabase1TokenAuth: []
@@ -2395,6 +2425,13 @@ paths:
                   description: List of denied CIDR blocks or IP addresses for egress traffic. Domain names are not supported for deny rules.
                   items:
                     type: string
+                rules:
+                  type: object
+                  description: Per-domain transform rules. Replaces all existing rules when provided.
+                  additionalProperties:
+                    type: array
+                    items:
+                      $ref: '#/components/schemas/SandboxNetworkRule'
                 allow_internet_access:
                   type: boolean
                   description:
diff --git a/src/core/shared/contracts/infra-api.types.ts b/src/core/shared/contracts/infra-api.types.ts
index d4b5a3eba..d4a49623a 100644
--- a/src/core/shared/contracts/infra-api.types.ts
+++ b/src/core/shared/contracts/infra-api.types.ts
@@ -742,7 +742,7 @@ export interface paths {
       cookie?: never
     }
     get?: never
-    /** @description Update the network configuration for a running sandbox. Replaces the current egress rules with the provided configuration. Omitting both fields clears all egress rules. */
+    /** @description Update the network configuration for a running sandbox. Replaces the current egress rules with the provided configuration. Omitting field clears it. */
     put: {
       parameters: {
         query?: never
@@ -759,6 +759,10 @@ export interface paths {
             allowOut?: string[]
             /** @description List of denied CIDR blocks or IP addresses for egress traffic. Domain names are not supported for deny rules. */
             denyOut?: string[]
+            /** @description Per-domain transform rules. Replaces all existing rules when provided. */
+            rules?: {
+              [key: string]: components['schemas']['SandboxNetworkRule'][]
+            }
             /** @description Allow sandbox to access the internet. When set to false, it behaves the same as specifying denyOut to 0.0.0.0/0 in the network config. */
             allow_internet_access?: boolean
           }
@@ -2256,6 +2260,21 @@ export interface components {
       denyOut?: string[]
       /** @description Specify host mask which will be used for all sandbox requests */
       maskRequestHost?: string
+      /** @description Per-domain transform rules applied to matching egress HTTP/HTTPS requests. Keys are domains (e.g. "api.example.com", "example.com"). A domain listed here is not automatically allowed - use allowOut to permit the traffic. */
+      rules?: {
+        [key: string]: components['schemas']['SandboxNetworkRule'][]
+      }
+    }
+    /** @description Transform rule applied to egress requests matching a domain pattern. */
+    SandboxNetworkRule: {
+      transform?: components['schemas']['SandboxNetworkTransform']
+    }
+    /** @description Transformations applied to matching egress requests before forwarding. */
+    SandboxNetworkTransform: {
+      /** @description HTTP headers to inject or override in matching requests. An existing header with the same name is replaced. Values are plain strings; secret resolution happens client-side before sending to the API. */
+      headers?: {
+        [key: string]: string
+      }
     }
     /**
      * @description Auto-resume enabled flag for paused sandboxes. Default false.