refactor(sandbox): centralize network mode policy helpers

2026-05-02 01:16:13 +00:00 · 2026-02-24 23:26:46 +00:00
parent 14b6eea6e3
commit 5552f9073f
7 changed files with 78 additions and 19 deletions
--- a/src/config/schema.help.ts
+++ b/src/config/schema.help.ts
@@ -299,6 +299,10 @@ export const FIELD_HELP: Record<string, string> = {
  "agents.defaults.sandbox.browser.network":
    "Docker network for sandbox browser containers (default: openclaw-sandbox-browser). Avoid bridge if you need stricter isolation.",
  "agents.list[].sandbox.browser.network": "Per-agent override for sandbox browser Docker network.",
+  "agents.defaults.sandbox.docker.dangerouslyAllowContainerNamespaceJoin":
+    "DANGEROUS break-glass override that allows sandbox Docker network mode container:<id>. This joins another container namespace and weakens sandbox isolation.",
+  "agents.list[].sandbox.docker.dangerouslyAllowContainerNamespaceJoin":
+    "Per-agent DANGEROUS override for container namespace joins in sandbox Docker network mode.",
  "agents.defaults.sandbox.browser.cdpSourceRange":
    "Optional CIDR allowlist for container-edge CDP ingress (for example 172.21.0.1/32).",
  "agents.list[].sandbox.browser.cdpSourceRange":