The demo defaults to an allow-list of reviewed page fixtures. Unlisted URLs are denied and produce an audit event.
This pattern is intentional. Web-access tools should be explicit about:
- allowed domains or resources
- blocked resource classes
- timeout and retry limits
- data retention
- incident review for denied calls
Do not turn the example into arbitrary outbound browsing without a reviewed policy.