fix: per-agent sandbox overrides

2026-01-07 12:24:12 +01:00
parent e13225c9d1
commit 573fe74a9c
13 changed files with 138 additions and 223 deletions
--- a/src/config/types.ts
+++ b/src/config/types.ts
@@ -586,11 +586,18 @@ export type RoutingConfig = {
      model?: string;
      sandbox?: {
        mode?: "off" | "non-main" | "all";
+        /** Agent workspace access inside the sandbox. */
+        workspaceAccess?: "none" | "ro" | "rw";
        /** Container/workspace scope for sandbox isolation. */
        scope?: "session" | "agent" | "shared";
        /** Legacy alias for scope ("session" when true, "shared" when false). */
        perSession?: boolean;
        workspaceRoot?: string;
+        /** Tool allow/deny policy for sandboxed sessions (deny wins). */
+        tools?: {
+          allow?: string[];
+          deny?: string[];
+        };
      };
      tools?: {
        allow?: string[];