Summary

• Add shared pasta/nsjail networking helpers and enable clone_newnet for agent, Python, and action sandboxes.
• Enable pasta only when the sandbox needs outbound network access, while preserving private loopback-only networking otherwise.
• Generate sandbox-local resolver, hosts, and nsswitch files for pasta-backed DNS instead of bind-mounting host resolver files.
• Mount a fresh read-only procfs inside nsjail PID namespaces instead of bind-mounting host /proc.

Notes

• The local docker-compose.dev.yml changes used for manual cluster testing are intentionally not included in this PR.
• Nested procfs mounting under Docker requires the runtime to allow unmasked system paths; the Dockerized test override now uses systempaths=unconfined for that path.

Validation

• TRACECAT__SERVICE_KEY=test-service-key uv run ruff check tracecat/agent/sandbox/config.py tracecat/sandbox/executor.py tracecat/sandbox/networking.py tests/unit/test_agent_sandbox_config.py tests/unit/test_sandbox_networking.py tests/unit/test_agent_sandbox_litellm.py
• TRACECAT__SERVICE_KEY=test-service-key uv run basedpyright tracecat/agent/sandbox/config.py tracecat/sandbox/executor.py tracecat/sandbox/networking.py tests/unit/test_agent_sandbox_config.py tests/unit/test_sandbox_networking.py tests/unit/test_agent_sandbox_litellm.py
• Dockerized nsjail harness via _run_nsjail_harness_in_docker_or_skip() passed.
• Pasta Docker smoke skipped locally because this host does not expose /dev/net/tun.
• Focused pytest collection for the new config tests failed before test execution because the repo's session DB fixture tried to connect to Postgres on localhost:5432 and it was unavailable.

Coverage Review

The committed unit coverage gives good confidence that generated nsjail configs now always clone a network namespace, only add pasta when internet access is requested, use generated pasta DNS mounts, and mount fresh procfs instead of host /proc.

The current coverage is not enough by itself for a high-confidence production rollout of pasta-backed outbound internet access. The missing piece is an integration test on a Linux runner or node with /dev/net/tun, CAP_SYS_ADMIN, unconfined seccomp, and unmasked proc system paths that verifies real outbound DNS/connectivity through pasta while the jail remains isolated from the host network. A full agent-path assertion that jailed /proc only exposes jail PIDs would also reduce risk.

Summary by cubic

Add pasta userspace networking to nsjail sandboxes with always-isolated network namespaces; pasta is enabled only when outbound internet access is requested. Replace host /proc bind mounts with a fresh read-only procfs and generate sandbox-local DNS files for reliable pasta-backed resolution.

• New Features

  • Always isolate net namespaces; enable pasta only when internet is requested for agent, Python, and action sandboxes.
  • Generate sandbox-local resolv.conf, hosts, and nsswitch.conf; stop bind-mounting host resolver files.
  • New helpers in tracecat/sandbox/networking.py and focused unit tests, plus Dockerized smoke test for pasta.

• Migration

  • Docker runtime must allow nested procfs: add security_opt: ["seccomp:unconfined", "systempaths=unconfined"].
  • Internet-enabled runs/tests require host /dev/net/tun to be available.

^{Written for commit 85f829e. Summary will update on new commits. Review in cubic}