let5see/clawdbot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(sandbox): per-agent docker setupCommand

Browse Source
This commit is contained in:
Peter Steinberger
2026-01-08 00:52:15 +01:00
parent 6143ad13be
commit b03a1ad814
8 changed files with 109 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/concepts/multi-agent.md
View File

@@ -152,6 +152,10 @@ Starting with v2026.1.6, each agent can have its own sandbox and tool restrictio
sandbox: {
mode: "all", // Always sandboxed
scope: "agent", // One container per agent
docker: {
// Optional one-time setup after container creation
setupCommand: "apt-get update && apt-get install -y git curl",
},
},
tools: {
allow: ["read"], // Only read tool

2
docs/gateway/configuration.md
View File

@@ -339,6 +339,7 @@ Run multiple isolated agents (separate workspace, `agentDir`, sessions) inside o
- `workspaceAccess`: `"none"` | `"ro"` | `"rw"`
- `scope`: `"session"` | `"agent"` | `"shared"`
- `workspaceRoot`: custom sandbox workspace root
- `docker.setupCommand`: optional one-time setup command (runs once after container creation; ignored when `scope: "shared"`)
- `tools`: per-agent sandbox tool policy (deny wins; overrides `agent.sandbox.tools`)
- `tools`: per-agent tool restrictions (overrides `agent.tools`; applied before sandbox tool policy).
- `allow`: array of allowed tool names
@@ -1115,6 +1116,7 @@ Legacy: `perSession` is still supported (`true` → `scope: "session"`,
capDrop: ["ALL"],
env: { LANG: "C.UTF-8" },
setupCommand: "apt-get update && apt-get install -y git curl jq",
// Per-agent override (multi-agent): routing.agents.<agentId>.sandbox.docker.setupCommand
pidsLimit: 256,
memory: "1g",
memorySwap: "2g",

3
docs/install/docker.md
View File

@@ -160,6 +160,9 @@ Hardening knobs live under `agent.sandbox.docker`:
`network`, `user`, `pidsLimit`, `memory`, `memorySwap`, `cpus`, `ulimits`,
`seccompProfile`, `apparmorProfile`, `dns`, `extraHosts`.
Multi-agent: override `setupCommand` per agent via `routing.agents.<agentId>.sandbox.docker.setupCommand`
(ignored when `agent.sandbox.scope` / `routing.agents.<agentId>.sandbox.scope` is `"shared"`).
### Build the default sandbox image
```bash