Skip to main content
Version: MVP

Docker sandbox backend

2 min readReferenceUpdated 2026-05-19

What you'll find here

The DockerSandboxRequest boundary that represents containerized execution as an explicit environment decision — isolation defaults, required refs, and the receipt path.

Does not start containers.

The backend records and evaluates the decision. A separate governed container runtime executes.

What it records

DockerSandboxRequest:

Backend id

Image reference

Command reference

Network mode

Mount references and target paths

Environment reference names

Privileged flag

Policy envelope id

Capability grant id

Receipt id

Isolation defaults

Docker sandbox requests are allowed only when:

  1. Backend is container with container isolation.
  2. Backend declares container.run with run operation.
  3. privileged is false.
  4. Network mode is none or restricted.
  5. Mounts are read-only by default.
  6. Policy, grant, and receipt links are present.

Common denials.

Requests using host-like network defaults, privileged containers, read-write mounts, missing policy controls, or missing receipts are denied before dispatch.

Explicit settings

Image refs, command refs, mount refs, and environment refs are references. They must not embed raw credentials, tokens, passwords, or API keys.

What's next

ReferenceSandbox backendsThe shared contract.ReferenceEnvironment receiptsHow allowed and denied decisions persist.ReferenceLocal process backendThe host-process alternative.