feat: wire multi-agent config and routing

Co-authored-by: Mark Pors <1078320+pors@users.noreply.github.com>

docs/install/docker.md

@@ -109,12 +109,12 @@ Deep dive: [Sandboxing](/gateway/sandboxing)
 
 ### What it does
 
-When `agent.sandbox` is enabled, **non-main sessions** run tools inside a Docker
+When `agents.defaults.sandbox` is enabled, **non-main sessions** run tools inside a Docker
 container. The gateway stays on your host, but the tool execution is isolated:
 - scope: `"agent"` by default (one container + workspace per agent)
 - scope: `"session"` for per-session isolation
 - per-scope workspace folder mounted at `/workspace`
-- optional agent workspace access (`agent.sandbox.workspaceAccess`)
+- optional agent workspace access (`agents.defaults.sandbox.workspaceAccess`)
 - allow/deny tool policy (deny wins)
 - inbound media is copied into the active sandbox workspace (`media/inbound/*`) so tools can read it (with `workspaceAccess: "rw"`, this lands in the agent workspace)
 
@@ -124,7 +124,7 @@ one container and one workspace.
 ### Per-agent sandbox profiles (multi-agent)
 
 If you use multi-agent routing, each agent can override sandbox + tool settings:
-`routing.agents[id].sandbox` and `routing.agents[id].tools`. This lets you run
+`agents.list[].sandbox` and `agents.list[].tools` (plus `agents.list[].tools.sandbox.tools`). This lets you run
 mixed access levels in one gateway:
 - Full access (personal agent)
 - Read-only tools + read-only workspace (family/work agent)
@@ -149,54 +149,60 @@ precedence, and troubleshooting.
 
 ```json5
 {
-  agent: {
-    sandbox: {
-      mode: "non-main", // off | non-main | all
-      scope: "agent", // session | agent | shared (agent is default)
-      workspaceAccess: "none", // none | ro | rw
-      workspaceRoot: "~/.clawdbot/sandboxes",
-      docker: {
-        image: "clawdbot-sandbox:bookworm-slim",
-        workdir: "/workspace",
-        readOnlyRoot: true,
-        tmpfs: ["/tmp", "/var/tmp", "/run"],
-        network: "none",
-        user: "1000:1000",
-        capDrop: ["ALL"],
-        env: { LANG: "C.UTF-8" },
-        setupCommand: "apt-get update && apt-get install -y git curl jq",
-        pidsLimit: 256,
-        memory: "1g",
-        memorySwap: "2g",
-        cpus: 1,
-        ulimits: {
-          nofile: { soft: 1024, hard: 2048 },
-          nproc: 256
+  agents: {
+    defaults: {
+      sandbox: {
+        mode: "non-main", // off | non-main | all
+        scope: "agent", // session | agent | shared (agent is default)
+        workspaceAccess: "none", // none | ro | rw
+        workspaceRoot: "~/.clawdbot/sandboxes",
+        docker: {
+          image: "clawdbot-sandbox:bookworm-slim",
+          workdir: "/workspace",
+          readOnlyRoot: true,
+          tmpfs: ["/tmp", "/var/tmp", "/run"],
+          network: "none",
+          user: "1000:1000",
+          capDrop: ["ALL"],
+          env: { LANG: "C.UTF-8" },
+          setupCommand: "apt-get update && apt-get install -y git curl jq",
+          pidsLimit: 256,
+          memory: "1g",
+          memorySwap: "2g",
+          cpus: 1,
+          ulimits: {
+            nofile: { soft: 1024, hard: 2048 },
+            nproc: 256
+          },
+          seccompProfile: "/path/to/seccomp.json",
+          apparmorProfile: "clawdbot-sandbox",
+          dns: ["1.1.1.1", "8.8.8.8"],
+          extraHosts: ["internal.service:10.0.0.5"]
         },
-        seccompProfile: "/path/to/seccomp.json",
-        apparmorProfile: "clawdbot-sandbox",
-        dns: ["1.1.1.1", "8.8.8.8"],
-        extraHosts: ["internal.service:10.0.0.5"]
-      },
+        prune: {
+          idleHours: 24, // 0 disables idle pruning
+          maxAgeDays: 7  // 0 disables max-age pruning
+        }
+      }
+    }
+  },
+  tools: {
+    sandbox: {
       tools: {
         allow: ["bash", "process", "read", "write", "edit", "sessions_list", "sessions_history", "sessions_send", "sessions_spawn"],
         deny: ["browser", "canvas", "nodes", "cron", "discord", "gateway"]
-      },
-      prune: {
-        idleHours: 24, // 0 disables idle pruning
-        maxAgeDays: 7  // 0 disables max-age pruning
       }
     }
   }
 }
 ```
 
-Hardening knobs live under `agent.sandbox.docker`:
+Hardening knobs live under `agents.defaults.sandbox.docker`:
 `network`, `user`, `pidsLimit`, `memory`, `memorySwap`, `cpus`, `ulimits`,
 `seccompProfile`, `apparmorProfile`, `dns`, `extraHosts`.
 
-Multi-agent: override `agent.sandbox.{docker,browser,prune}.*` per agent via `routing.agents.<agentId>.sandbox.{docker,browser,prune}.*`
-(ignored when `agent.sandbox.scope` / `routing.agents.<agentId>.sandbox.scope` is `"shared"`).
+Multi-agent: override `agents.defaults.sandbox.{docker,browser,prune}.*` per agent via `agents.list[].sandbox.{docker,browser,prune}.*`
+(ignored when `agents.defaults.sandbox.scope` / `agents.list[].sandbox.scope` is `"shared"`).
 
 ### Build the default sandbox image
 
@@ -217,7 +223,7 @@ This builds `clawdbot-sandbox-common:bookworm-slim`. To use it:
 
 ```json5
 {
-  agent: { sandbox: { docker: { image: "clawdbot-sandbox-common:bookworm-slim" } } }
+  agents: { defaults: { sandbox: { docker: { image: "clawdbot-sandbox-common:bookworm-slim" } } } }
 }
 ```
 
@@ -235,16 +241,18 @@ an optional noVNC observer (headful via Xvfb).
 
 Notes:
 - Headful (Xvfb) reduces bot blocking vs headless.
-- Headless can still be used by setting `agent.sandbox.browser.headless=true`.
+- Headless can still be used by setting `agents.defaults.sandbox.browser.headless=true`.
 - No full desktop environment (GNOME) is needed; Xvfb provides the display.
 
 Use config:
 
 ```json5
 {
-  agent: {
-    sandbox: {
-      browser: { enabled: true }
+  agents: {
+    defaults: {
+      sandbox: {
+        browser: { enabled: true }
+      }
     }
   }
 }
@@ -254,8 +262,10 @@ Custom browser image:
 
 ```json5
 {
-  agent: {
-    sandbox: { browser: { image: "my-clawdbot-browser" } }
+  agents: {
+    defaults: {
+      sandbox: { browser: { image: "my-clawdbot-browser" } }
+    }
   }
 }
 ```
@@ -266,7 +276,7 @@ When enabled, the agent receives:
 
 Remember: if you use an allowlist for tools, add `browser` (and remove it from
 deny) or the tool remains blocked.
-Prune rules (`agent.sandbox.prune`) apply to browser containers too.
+Prune rules (`agents.defaults.sandbox.prune`) apply to browser containers too.
 
 ### Custom sandbox image
 
@@ -278,8 +288,10 @@ docker build -t my-clawdbot-sbx -f Dockerfile.sandbox .
 
 ```json5
 {
-  agent: {
-    sandbox: { docker: { image: "my-clawdbot-sbx" } }
+  agents: {
+    defaults: {
+      sandbox: { docker: { image: "my-clawdbot-sbx" } }
+    }
   }
 }
 ```
@@ -310,7 +322,7 @@ Example:
 
 ## Troubleshooting
 
-- Image missing: build with [`scripts/sandbox-setup.sh`](https://github.com/clawdbot/clawdbot/blob/main/scripts/sandbox-setup.sh) or set `agent.sandbox.docker.image`.
+- Image missing: build with [`scripts/sandbox-setup.sh`](https://github.com/clawdbot/clawdbot/blob/main/scripts/sandbox-setup.sh) or set `agents.defaults.sandbox.docker.image`.
 - Container not running: it will auto-create per session on demand.
 - Permission errors in sandbox: set `docker.user` to a UID:GID that matches your
   mounted workspace ownership (or chown the workspace folder).