Sandbox CLI

Sandbox CLI

Manage Docker-based sandbox containers for isolated agent execution.

Overview

CoderClaw can run agents in isolated Docker containers for security. The sandbox commands help you manage these containers, especially after updates or configuration changes.

Commands

coderclaw sandbox explain

Inspect the effective sandbox mode/scope/workspace access, sandbox tool policy, and elevated gates (with fix-it config key paths).

coderclaw sandbox explain
coderclaw sandbox explain --session agent:main:main
coderclaw sandbox explain --agent work
coderclaw sandbox explain --json

coderclaw sandbox list

List all sandbox containers with their status and configuration.

coderclaw sandbox list
coderclaw sandbox list --browser  # List only browser containers
coderclaw sandbox list --json     # JSON output

Output includes:

• Container name and status (running/stopped)
• Docker image and whether it matches config
• Age (time since creation)
• Idle time (time since last use)
• Associated session/agent

coderclaw sandbox recreate

Remove sandbox containers to force recreation with updated images/config.

coderclaw sandbox recreate --all                # Recreate all containers
coderclaw sandbox recreate --session main       # Specific session
coderclaw sandbox recreate --agent mybot        # Specific agent
coderclaw sandbox recreate --browser            # Only browser containers
coderclaw sandbox recreate --all --force        # Skip confirmation

Options:

• --all: Recreate all sandbox containers
• --session <key>: Recreate container for specific session
• --agent <id>: Recreate containers for specific agent
• --browser: Only recreate browser containers
• --force: Skip confirmation prompt

Important: Containers are automatically recreated when the agent is next used.

Use Cases

After updating Docker images

# Pull new image
docker pull coderclaw-sandbox:latest
docker tag coderclaw-sandbox:latest coderclaw-sandbox:bookworm-slim

# Update config to use new image
# Edit config: agents.defaults.sandbox.docker.image (or agents.list[].sandbox.docker.image)

# Recreate containers
coderclaw sandbox recreate --all

After changing sandbox configuration

# Edit config: agents.defaults.sandbox.* (or agents.list[].sandbox.*)

# Recreate to apply new config
coderclaw sandbox recreate --all

After changing setupCommand

coderclaw sandbox recreate --all
# or just one agent:
coderclaw sandbox recreate --agent family

For a specific agent only

# Update only one agent's containers
coderclaw sandbox recreate --agent alfred

Why is this needed?

Problem: When you update sandbox Docker images or configuration:

• Existing containers continue running with old settings
• Containers are only pruned after 24h of inactivity
• Regularly-used agents keep old containers running indefinitely

Solution: Use coderclaw sandbox recreate to force removal of old containers. They’ll be recreated automatically with current settings when next needed.

Tip: prefer coderclaw sandbox recreate over manual docker rm. It uses the Gateway’s container naming and avoids mismatches when scope/session keys change.

Configuration

Sandbox settings live in ~/.coderclaw/coderclaw.json under agents.defaults.sandbox (per-agent overrides go in agents.list[].sandbox):

{
  "agents": {
    "defaults": {
      "sandbox": {
        "mode": "all", // off, non-main, all
        "scope": "agent", // session, agent, shared
        "docker": {
          "image": "coderclaw-sandbox:bookworm-slim",
          "containerPrefix": "coderclaw-sbx-",
          // ... more Docker options
        },
        "prune": {
          "idleHours": 24, // Auto-prune after 24h idle
          "maxAgeDays": 7, // Auto-prune after 7 days
        },
      },
    },
  },
}

See Also

• Sandbox Documentation
• Agent Configuration
• Doctor Command - Check sandbox setup