2026-01-08 01:06:09 +01:00
---
summary: "Per-agent sandbox + tool restrictions, precedence, and examples"
title: Multi-Agent Sandbox & Tools
read_when: "You want per-agent sandboxing or per-agent tool allow/deny policies in a multi-agent gateway."
status: active
---
2026-01-07 11:59:16 +01:00
# Multi-Agent Sandbox & Tools Configuration
## Overview
Each agent in a multi-agent setup can now have its own:
2026-01-09 12:44:23 +00:00
- **Sandbox configuration** (`agents.list[].sandbox` overrides `agents.defaults.sandbox` )
- **Tool restrictions** (`tools.allow` / `tools.deny` , plus `agents.list[].tools` )
2026-01-07 11:59:16 +01:00
This allows you to run multiple agents with different security profiles:
- Personal assistant with full access
- Family/work agents with restricted tools
- Public-facing agents in sandboxes
2026-01-08 21:49:26 +01:00
For how sandboxing behaves at runtime, see [Sandboxing ](/gateway/sandboxing ).
2026-01-10 20:28:34 +01:00
For debugging “why is this blocked?”, see [Sandbox vs Tool Policy vs Elevated ](/gateway/sandbox-vs-tool-policy-vs-elevated ) and `clawdbot sandbox explain` .
2026-01-08 21:49:26 +01:00
2026-01-07 11:59:16 +01:00
---
## Configuration Examples
### Example 1: Personal + Restricted Family Agent
``` json
{
2026-01-09 12:44:23 +00:00
"agents" : {
"list" : [
{
"id" : "main" ,
"default" : true ,
2026-01-07 11:59:16 +01:00
"name" : "Personal Assistant" ,
"workspace" : "~/clawd" ,
2026-01-09 12:44:23 +00:00
"sandbox" : { "mode" : "off" }
2026-01-07 11:59:16 +01:00
} ,
2026-01-09 12:44:23 +00:00
{
"id" : "family" ,
2026-01-07 11:59:16 +01:00
"name" : "Family Bot" ,
"workspace" : "~/clawd-family" ,
"sandbox" : {
"mode" : "all" ,
"scope" : "agent"
} ,
"tools" : {
"allow" : [ "read" ] ,
"deny" : [ "bash" , "write" , "edit" , "process" , "browser" ]
}
}
2026-01-09 12:44:23 +00:00
]
} ,
"bindings" : [
{
"agentId" : "family" ,
"match" : {
"provider" : "whatsapp" ,
"accountId" : "*" ,
"peer" : {
"kind" : "group" ,
"id" : "120363424282127706@g.us"
2026-01-07 11:59:16 +01:00
}
}
2026-01-09 12:44:23 +00:00
}
]
2026-01-07 11:59:16 +01:00
}
```
**Result: **
- `main` agent: Runs on host, full tool access
- `family` agent: Runs in Docker (one container per agent), only `read` tool
---
### Example 2: Work Agent with Shared Sandbox
``` json
{
2026-01-09 12:44:23 +00:00
"agents" : {
"list" : [
{
"id" : "personal" ,
2026-01-07 11:59:16 +01:00
"workspace" : "~/clawd-personal" ,
"sandbox" : { "mode" : "off" }
} ,
2026-01-09 12:44:23 +00:00
{
"id" : "work" ,
2026-01-07 11:59:16 +01:00
"workspace" : "~/clawd-work" ,
"sandbox" : {
"mode" : "all" ,
"scope" : "shared" ,
"workspaceRoot" : "/tmp/work-sandboxes"
} ,
"tools" : {
"allow" : [ "read" , "write" , "bash" ] ,
"deny" : [ "browser" , "gateway" , "discord" ]
}
}
2026-01-09 12:44:23 +00:00
]
2026-01-07 11:59:16 +01:00
}
}
```
---
### Example 3: Different Sandbox Modes per Agent
``` json
{
2026-01-09 12:44:23 +00:00
"agents" : {
"defaults" : {
"sandbox" : {
"mode" : "non-main" , // Global default
"scope" : "session"
}
} ,
"list" : [
{
"id" : "main" ,
2026-01-07 11:59:16 +01:00
"workspace" : "~/clawd" ,
"sandbox" : {
"mode" : "off" // Override: main never sandboxed
}
} ,
2026-01-09 12:44:23 +00:00
{
"id" : "public" ,
2026-01-07 11:59:16 +01:00
"workspace" : "~/clawd-public" ,
"sandbox" : {
"mode" : "all" , // Override: public always sandboxed
"scope" : "agent"
} ,
"tools" : {
"allow" : [ "read" ] ,
"deny" : [ "bash" , "write" , "edit" ]
}
}
2026-01-09 12:44:23 +00:00
]
2026-01-07 11:59:16 +01:00
}
}
```
---
## Configuration Precedence
2026-01-09 12:44:23 +00:00
When both global (`agents.defaults.*` ) and agent-specific (`agents.list[].*` ) configs exist:
2026-01-07 11:59:16 +01:00
### Sandbox Config
Agent-specific settings override global:
```
2026-01-09 12:44:23 +00:00
agents.list[].sandbox.mode > agents.defaults.sandbox.mode
agents.list[].sandbox.scope > agents.defaults.sandbox.scope
agents.list[].sandbox.workspaceRoot > agents.defaults.sandbox.workspaceRoot
agents.list[].sandbox.workspaceAccess > agents.defaults.sandbox.workspaceAccess
agents.list[].sandbox.docker.* > agents.defaults.sandbox.docker.*
agents.list[].sandbox.browser.* > agents.defaults.sandbox.browser.*
agents.list[].sandbox.prune.* > agents.defaults.sandbox.prune.*
2026-01-07 11:59:16 +01:00
```
2026-01-08 01:06:09 +01:00
**Notes: **
2026-01-09 12:44:23 +00:00
- `agents.list[].sandbox.{docker,browser,prune}.*` overrides `agents.defaults.sandbox.{docker,browser,prune}.*` for that agent (ignored when sandbox scope resolves to `"shared"` ).
2026-01-07 11:59:16 +01:00
### Tool Restrictions
The filtering order is:
2026-01-09 12:44:23 +00:00
1. **Global tool policy ** (`tools.allow` / `tools.deny` )
2. **Agent-specific tool policy ** (`agents.list[].tools` )
3. **Sandbox tool policy ** (`tools.sandbox.tools` or `agents.list[].tools.sandbox.tools` )
4. **Subagent tool policy ** (`tools.subagents.tools` , if applicable)
2026-01-07 11:59:16 +01:00
Each level can further restrict tools, but cannot grant back denied tools from earlier levels.
2026-01-09 12:44:23 +00:00
If `agents.list[].tools.sandbox.tools` is set, it replaces `tools.sandbox.tools` for that agent.
2026-01-07 11:59:16 +01:00
2026-01-09 20:42:16 +00:00
### Elevated Mode
`tools.elevated` is the global baseline (sender-based allowlist). `agents.list[].tools.elevated` can further restrict elevated for specific agents (both must allow).
2026-01-08 22:57:08 +01:00
Mitigation patterns:
2026-01-09 12:44:23 +00:00
- Deny `bash` for untrusted agents (`agents.list[].tools.deny: ["bash"]` )
2026-01-08 22:57:08 +01:00
- Avoid allowlisting senders that route to restricted agents
2026-01-09 12:44:23 +00:00
- Disable elevated globally (`tools.elevated.enabled: false` ) if you only want sandboxed execution
2026-01-09 20:42:16 +00:00
- Disable elevated per agent (`agents.list[].tools.elevated.enabled: false` ) for sensitive profiles
2026-01-08 22:57:08 +01:00
2026-01-07 11:59:16 +01:00
---
## Migration from Single Agent
**Before (single agent): **
``` json
{
2026-01-09 12:44:23 +00:00
"agents" : {
"defaults" : {
"workspace" : "~/clawd" ,
"sandbox" : {
"mode" : "non-main"
}
}
} ,
"tools" : {
2026-01-07 11:59:16 +01:00
"sandbox" : {
"tools" : {
"allow" : [ "read" , "write" , "bash" ] ,
"deny" : [ ]
}
}
}
}
```
**After (multi-agent with different profiles): **
``` json
{
2026-01-09 12:44:23 +00:00
"agents" : {
"list" : [
{
"id" : "main" ,
"default" : true ,
2026-01-07 11:59:16 +01:00
"workspace" : "~/clawd" ,
2026-01-09 12:44:23 +00:00
"sandbox" : { "mode" : "off" }
2026-01-07 11:59:16 +01:00
}
2026-01-09 12:44:23 +00:00
]
2026-01-07 11:59:16 +01:00
}
}
```
2026-01-09 12:44:23 +00:00
Legacy `agent.*` configs are migrated by `clawdbot doctor` ; prefer `agents.defaults` + `agents.list` going forward.
2026-01-07 11:59:16 +01:00
---
## Tool Restriction Examples
### Read-only Agent
``` json
{
"tools" : {
"allow" : [ "read" ] ,
"deny" : [ "bash" , "write" , "edit" , "process" ]
}
}
```
### Safe Execution Agent (no file modifications)
``` json
{
"tools" : {
"allow" : [ "read" , "bash" , "process" ] ,
"deny" : [ "write" , "edit" , "browser" , "gateway" ]
}
}
```
### Communication-only Agent
``` json
{
"tools" : {
2026-01-09 23:35:35 +00:00
"allow" : [ "sessions_list" , "sessions_send" , "sessions_history" , "session_status" ] ,
2026-01-07 11:59:16 +01:00
"deny" : [ "bash" , "write" , "edit" , "read" , "browser" ]
}
}
```
---
2026-01-09 03:23:36 +01:00
## Common Pitfall: "non-main"
2026-01-09 12:44:23 +00:00
`agents.defaults.sandbox.mode: "non-main"` is based on `session.mainKey` (default `"main"` ),
2026-01-09 03:23:36 +01:00
not the agent id. Group/channel sessions always get their own keys, so they
are treated as non-main and will be sandboxed. If you want an agent to never
2026-01-09 12:44:23 +00:00
sandbox, set `agents.list[].sandbox.mode: "off"` .
2026-01-09 03:23:36 +01:00
---
2026-01-07 11:59:16 +01:00
## Testing
After configuring multi-agent sandbox and tools:
1. **Check agent resolution: **
```bash
2026-01-08 07:49:07 +01:00
clawdbot agents list --bindings
2026-01-07 11:59:16 +01:00
` ``
2. **Verify sandbox containers:**
` ``bash
docker ps --filter "label=clawdbot.sandbox=1"
` ``
3. **Test tool restrictions:**
- Send a message requiring restricted tools
- Verify the agent cannot use denied tools
4. **Monitor logs:**
` ``bash
2026-01-08 08:24:16 +01:00
tail -f "${CLAWDBOT_STATE_DIR:-$HOME/.clawdbot}/logs/gateway.log" | grep -E "routing|sandbox|tools"
2026-01-07 11:59:16 +01:00
` ``
---
## Troubleshooting
### Agent not sandboxed despite ` mode: "all"`
2026-01-09 12:44:23 +00:00
- Check if there's a global ` agents.defaults.sandbox.mode` that overrides it
- Agent-specific config takes precedence, so set ` agents.list[].sandbox.mode: "all"`
2026-01-07 11:59:16 +01:00
### Tools still available despite deny list
- Check tool filtering order: global → agent → sandbox → subagent
- Each level can only further restrict, not grant back
- Verify with logs: ` [tools] filtering tools for agent:${agentId}`
### Container not isolated per agent
- Set ` scope: "agent"` in agent-specific sandbox config
- Default is ` "session"` which creates one container per session
---
## See Also
- [Multi-Agent Routing ](/concepts/multi-agent )
2026-01-09 12:44:23 +00:00
- [Sandbox Configuration ](/gateway/configuration#agentsdefaults-sandbox )
2026-01-07 11:59:16 +01:00
- [Session Management ](/concepts/session )