SecuritySandboxing
Sandboxing
Container Sandboxing
ThinkFleet runs agents in isolated Docker containers to prevent unintended access to the host system or other tenants.
Sandbox Modes
| Mode | Behavior |
|---|---|
| Off | No sandbox — agent runs on host (not recommended for production) |
| All | All sessions sandboxed in containers |
| Non-main | DMs run on host, group sessions run in containers |
Sandbox Scope
| Scope | Behavior |
|---|---|
| Session | One container per session (maximum isolation) |
| Shared | One container shared across all sessions for an agent |
Resource Limits
Each container has configurable resource limits:
- CPU — Allocated in millicores
- Memory — Allocated in MB
- Storage — Allocated in GB
These limits prevent any single agent from consuming excessive resources.
Elevated Mode
When sandboxing is enabled, agents can request temporary elevated access to the host system for specific operations. This requires:
- Elevated mode enabled in configuration
- Explicit approval per command (ask policy)
- Command allowlist/denylist
Elevated mode is disabled by default and should only be used when necessary.
Workspace Access
Container access to the agent workspace can be controlled:
| Level | Access |
|---|---|
| None | No workspace access |
| Read-only | Can read but not modify workspace files |
| Read-write | Full workspace access (default) |