feat: add per-agent sandbox and tool configuration#380
Merged
steipete merged 15 commits intoopenclaw:mainfrom Jan 7, 2026
Merged
feat: add per-agent sandbox and tool configuration#380steipete merged 15 commits intoopenclaw:mainfrom
steipete merged 15 commits intoopenclaw:mainfrom
Conversation
Contributor
|
Nice, this looks like a better version of my PR #351 👍 Will close mine |
added 11 commits
January 7, 2026 12:09
Add optional per-agent configuration:
- sandbox: { mode, scope, perSession, workspaceRoot }
- tools: { allow, deny }
These will allow agents to override global agent.sandbox and
agent.tools settings.
Validate per-agent sandbox config: - mode: 'off' | 'non-main' | 'all' - scope: 'session' | 'agent' | 'shared' - perSession: boolean - workspaceRoot: string Validate per-agent tools config: - allow: string[] - deny: string[]
Return newly added fields from routing.agents config: - sandbox: agent-specific sandbox configuration - tools: agent-specific tool restrictions This makes per-agent sandbox and tool settings accessible to other parts of the codebase.
Changes to defaultSandboxConfig(): - Add optional agentId parameter - Load routing.agents[agentId].sandbox if available - Prefer agent-specific settings over global agent.sandbox Update callers in resolveSandboxContext() and ensureSandboxWorkspaceForSession() to extract agentId from sessionKey and pass it to defaultSandboxConfig(). This enables per-agent sandbox modes (e.g., main: off, family: all).
Add tool filtering layer for per-agent restrictions: - Extract agentId from sessionKey - Load routing.agents[agentId].tools via resolveAgentConfig() - Apply agent-specific allow/deny before sandbox filtering Filtering order: 1. Global (agent.tools) 2. Agent-specific (routing.agents[id].tools) ← NEW 3. Sandbox (agent.sandbox.tools) 4. Subagent policy This enables different tool permissions per agent (e.g., main: all tools, family: read only).
Add 7 tests for resolveAgentConfig(): - Return undefined when no agents config exists - Return undefined when agent id does not exist - Return basic agent config (name, workspace, agentDir, model) - Return agent-specific sandbox config - Return agent-specific tools config - Return both sandbox and tools config - Normalize agent id All tests pass.
Add 6 tests for agent-specific sandbox configuration: - Use global sandbox config when no agent-specific config exists - Override with agent-specific sandbox mode 'off' - Use agent-specific sandbox mode 'all' - Use agent-specific scope - Use agent-specific workspaceRoot - Prefer agent config over global for multiple agents All tests pass.
Add 5 tests for agent-specific tool restrictions: - Apply global tool policy when no agent-specific policy exists - Apply agent-specific tool policy - Allow different tool policies for different agents - Combine global and agent-specific deny lists - Work with sandbox tools filtering All tests pass.
Update routing.agents section: - Add sandbox field documentation (mode, scope, workspaceRoot) - Add tools field documentation (allow, deny) - Note that agent-specific settings override global config
Add new section explaining: - How to configure per-agent sandbox settings - How to configure per-agent tool restrictions - Benefits (security isolation, resource control, flexible policies) - Link to detailed guide Include example config showing personal assistant (no sandbox) vs family bot (sandboxed with read-only tools).
Add docs/multi-agent-sandbox-tools.md covering: - Configuration examples (personal + restricted, work agents) - Different sandbox modes per agent - Tool restriction patterns (read-only, safe execution, communication-only) - Configuration precedence rules - Migration guide from single-agent setups - Troubleshooting tips Add PR_SUMMARY.md for upstream submission with: - Feature overview and use cases - Implementation details (49 LoC across 5 files) - Test coverage (18 new tests, all existing tests pass) - Backward compatibility confirmation - Migration examples --- Kudos to Eula, the beautiful and selfless family owl 🦉 This feature was developed to enable safe, restricted access for family group chats while maintaining full access for the personal assistant. Schuhu!
pasogott
force-pushed
the
feature/per-agent-sandbox-tools
branch
from
5fd4a2a to
1143b3e
Compare
Contributor
|
Thanks Clawtributor! This misses the new workspaceAccess I added earlier today, but will weave in. |
Contributor
|
Already landed on main (patch-equivalent). See comment for follow-up SHAs. |
dgarson
added a commit
to dgarson/clawdbot
that referenced
this pull request
Feb 9, 2026
…penclaw#380) * Web: honor live sessions and agent status gating * Web: disable status toggles when gateway connected
zooqueen
pushed a commit
to hanzoai/bot
that referenced
this pull request
Mar 6, 2026
…ox-tools feat: add per-agent sandbox and tool configuration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Per-Agent Sandbox and Tool Configuration
Motivation
This PR enables multi-agent setups with different security profiles - a real-world need when running multiple agents with varying trust levels.
Use case: Personal assistant with full system access vs. family group chat bot with restricted permissions.
Implementation
Very minimal changes (49 LoC across 5 files):
routing.agents[].sandboxandrouting.agents[].toolsdefaultSandboxConfig()and tool filteringExample Config
{ "routing": { "agents": { "main": { "workspace": "~/clawd", "sandbox": { "mode": "off" } }, "family": { "workspace": "~/clawd-family", "sandbox": { "mode": "all", "scope": "agent" }, "tools": { "allow": ["read"], "deny": ["bash", "write", "edit"] } } } } }Result:
mainagent: Host, all tools availablefamilyagent: Docker container, read-onlyBackward Compatibility
✅ 100% backward compatible - new fields are optional, defaults to global config
Testing
Documentation
docs/multi-agent-sandbox-tools.mddocs/concepts/multi-agent.mddocs/gateway/configuration.mdKudos to Eula 🦉, the beautiful and selfless family owl who inspired this feature! This enables safe, restricted access for family group chats while maintaining full control for the personal assistant. Schuhu!
Looking forward to feedback! Happy to adjust the approach if there's a preferred pattern.