From dad1a99a2044e21dc13c2db1dd9aa7dc8a1b3d54 Mon Sep 17 00:00:00 2001
From: sheeek <gitlab@ott.team>
Date: Wed, 7 Jan 2026 11:59:04 +0100
Subject: [PATCH] docs(multi-agent): add section on per-agent sandbox and tools

Add new section explaining:
- How to configure per-agent sandbox settings
- How to configure per-agent tool restrictions
- Benefits (security isolation, resource control, flexible policies)
- Link to detailed guide

Include example config showing personal assistant (no sandbox)
vs family bot (sandboxed with read-only tools).
---
 docs/concepts/multi-agent.md | 38 ++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/docs/concepts/multi-agent.md b/docs/concepts/multi-agent.md
index d17a556a8..1196a9619 100644
--- a/docs/concepts/multi-agent.md
+++ b/docs/concepts/multi-agent.md
@@ -131,3 +131,41 @@ multiple phone numbers without mixing sessions.
   },
 }
 ```
+
+## Per-Agent Sandbox and Tool Configuration
+
+Starting with v2026.1.6, each agent can have its own sandbox and tool restrictions:
+
+```js
+{
+  routing: {
+    agents: {
+      personal: {
+        workspace: "~/clawd-personal",
+        sandbox: {
+          mode: "off",  // No sandbox for personal agent
+        },
+        // No tool restrictions - all tools available
+      },
+      family: {
+        workspace: "~/clawd-family",
+        sandbox: {
+          mode: "all",     // Always sandboxed
+          scope: "agent",  // One container per agent
+        },
+        tools: {
+          allow: ["read"],                    // Only read tool
+          deny: ["bash", "write", "edit"],    // Deny others
+        },
+      },
+    },
+  },
+}
+```
+
+**Benefits:**
+- **Security isolation**: Restrict tools for untrusted agents
+- **Resource control**: Sandbox specific agents while keeping others on host
+- **Flexible policies**: Different permissions per agent
+
+See [Multi-Agent Sandbox & Tools](/docs/multi-agent-sandbox-tools) for detailed examples.