Sandboxing of agents

[mangas]

It would be great to support the local running agents through sandboxing by default. It's a pretty big attack vector to run potentially proprietary code.

Would be great if the current support for gemini, codex and claude code had an option to run in containers with a volume mounted to on the project root or a pre-defined root. Is there a reason this couldn't work? I understand this can probably be achieved by defining "external agents" by hand, but that would only bring benefits to a very very small number of users vs making that the default.

[edahlseng]

While not a generic solution like running in a container, Anthropic did recently introduce a sandboxing feature for Claude Code that can accomplish this. See #42025.

[mangas]

feels like that's a step in the right direction, personally I would still prefer the default for any local agent to be started in a container when possible, mount the volume for code access. I'm not sure if that would work correctly or if references to files would need to "translated". However, this would essentially have a non "cooperative" way of isolating the agent processes regardless of them supporting sandboxes or not.