feat(sandbox): per-agent docker overrides

2026-01-08 01:06:09 +01:00
parent badc1602c8
commit 4f58e6aa7c
9 changed files with 280 additions and 120 deletions
--- a/docs/gateway/configuration.md
+++ b/docs/gateway/configuration.md
@@ -339,7 +339,7 @@ Run multiple isolated agents (separate workspace, `agentDir`, sessions) inside o
    - `workspaceAccess`: `"none"` | `"ro"` | `"rw"`
    - `scope`: `"session"` | `"agent"` | `"shared"`
    - `workspaceRoot`: custom sandbox workspace root
-    - `docker.setupCommand`: optional one-time setup command (runs once after container creation; ignored when `scope: "shared"`)
+    - `docker`: per-agent docker overrides (e.g. `image`, `network`, `env`, `setupCommand`, limits; ignored when `scope: "shared"`)
    - `tools`: per-agent sandbox tool policy (deny wins; overrides `agent.sandbox.tools`)
  - `tools`: per-agent tool restrictions (overrides `agent.tools`; applied before sandbox tool policy).
    - `allow`: array of allowed tool names
@@ -1116,7 +1116,7 @@ Legacy: `perSession` is still supported (`true` → `scope: "session"`,
        capDrop: ["ALL"],
        env: { LANG: "C.UTF-8" },
        setupCommand: "apt-get update && apt-get install -y git curl jq",
-        // Per-agent override (multi-agent): routing.agents.<agentId>.sandbox.docker.setupCommand
+        // Per-agent override (multi-agent): routing.agents.<agentId>.sandbox.docker.*
        pidsLimit: 256,
        memory: "1g",
        memorySwap: "2g",
--- a/docs/install/docker.md
+++ b/docs/install/docker.md
@@ -160,7 +160,7 @@ Hardening knobs live under `agent.sandbox.docker`:
 `network`, `user`, `pidsLimit`, `memory`, `memorySwap`, `cpus`, `ulimits`,
 `seccompProfile`, `apparmorProfile`, `dns`, `extraHosts`.

-Multi-agent: override `setupCommand` per agent via `routing.agents.<agentId>.sandbox.docker.setupCommand`
+Multi-agent: override `agent.sandbox.docker.*` per agent via `routing.agents.<agentId>.sandbox.docker.*`
 (ignored when `agent.sandbox.scope` / `routing.agents.<agentId>.sandbox.scope` is `"shared"`).

 ### Build the default sandbox image
--- a/docs/multi-agent-sandbox-tools.md
+++ b/docs/multi-agent-sandbox-tools.md
@@ -1,3 +1,10 @@
+---
+summary: "Per-agent sandbox + tool restrictions, precedence, and examples"
+title: Multi-Agent Sandbox & Tools
+read_when: "You want per-agent sandboxing or per-agent tool allow/deny policies in a multi-agent gateway."
+status: active
+---
+
 # Multi-Agent Sandbox & Tools Configuration

 ## Overview
@@ -142,9 +149,12 @@ routing.agents[id].sandbox.mode > agent.sandbox.mode
 routing.agents[id].sandbox.scope > agent.sandbox.scope
 routing.agents[id].sandbox.workspaceRoot > agent.sandbox.workspaceRoot
 routing.agents[id].sandbox.workspaceAccess > agent.sandbox.workspaceAccess
+routing.agents[id].sandbox.docker.* > agent.sandbox.docker.*
 ```

-**Note:** `docker`, `browser`, and `prune` settings from `agent.sandbox` are still **global** and apply to all sandboxed agents.
+**Notes:**
+- `routing.agents[id].sandbox.docker.*` overrides `agent.sandbox.docker.*` for that agent (ignored when sandbox scope resolves to `"shared"`).
+- `browser` and `prune` settings under `agent.sandbox` are still **global** and apply to all sandboxed agents.

 ### Tool Restrictions
 The filtering order is: