Skip to content

Sandbox API

Base path: /api/sandbox

All endpoints require authentication. See API Overview for auth details.

GET /api/sandbox/config

Response — the full config plus the derived profile (read-only):

{
"config": {
"mode": "selective",
"scope": "session",
"workspace_access": "ro",
"network": { "enabled": true, "allowed_domains": [], "blocked_domains": [] },
"resources": { "cpu_cores": 1.0, "memory_mb": 512, "disk_mb": 1024, "max_processes": 64, "timeout_seconds": 300 },
"smart_sandbox_risk_threshold": 0.5,
"block_when_no_runtime": false
},
"profile": "safe"
}
PUT /api/sandbox/config
{
"mode": "all",
"network": {
"enabled": true,
"allowed_domains": ["api.github.com", "registry.npmjs.org"]
}
}

Config values:

FieldOptionsDescription
modeoff, selective, allOff / Safe / Strict mapping
scopesession, agent, sharedContainer persistence
workspace_accessnone, ro, rwAccess to agent workspace
smart_sandbox_risk_threshold01Safe-mode risk cutoff (≥ ⇒ containerize)
block_when_no_runtimetrue/falseFail closed (block) instead of host fallback
GET /api/sandbox/status
{
"status": "ok",
"mode": "selective",
"scope": "session",
"profile": "safe",
"runtime": { "available": true, "type": "docker", "version": "25.0.4" },
"active_containers": 2,
"degraded": false,
"platform": { "system": "Darwin", "os_fence_supported": true, "windows_needs_wsl2": false }
}
  • runtime.available — whether a container runtime is reachable (with type/version).
  • degradedtrue when the profile is Safe/Strict but no runtime is available, so commands run unsandboxed (surfaced, never silent). The engine also emits a sandbox.degraded event.
  • platform — OS and capability signals for the runtime-status banner (os_fence_supported, windows_needs_wsl2).
GET /api/sandbox/containers

Response:

{
"containers": [
{
"id": "container_abc123",
"agent_id": "agent_123",
"scope": "agent",
"status": "running",
"created_at": "2026-03-02T10:00:00Z",
"cpu_percent": 5.2,
"memory_mb": 256,
"executions_count": 42
}
]
}
GET /api/sandbox/containers/{id}
POST /api/sandbox/containers/{id}/stop
POST /api/sandbox/containers/{id}/restart
DELETE /api/sandbox/containers/{id}

Permanently removes the container and its data.

POST /api/sandbox/containers/cleanup

Removes idle or orphaned containers.

GET /api/sandbox/containers/{id}/snapshots
POST /api/sandbox/containers/{id}/snapshots
POST /api/sandbox/containers/{id}/snapshots/{sid}/rollback
DELETE /api/sandbox/containers/{id}/snapshots/{sid}

Save and restore container state via snapshots.

GET /api/sandbox/templates
POST /api/sandbox/templates
POST /api/sandbox/templates/{id}/build
POST /api/sandbox/templates/{id}/pull
DELETE /api/sandbox/templates/{id}

Manage container image templates.

GET /api/sandbox/audit
GET /api/sandbox/audit/summary
POST /api/sandbox/audit/cleanup
GET /api/sandbox/audit/{id}/output

Query sandbox execution audit logs.

GET /api/sandbox/pool
POST /api/sandbox/pool/drain

Manage the pre-warmed container pool.

GET /api/sandbox/gpu

List available GPU resources.

Default limits by permission tier:

TierCPUMemoryDiskMax procsTimeout
Sandbox0.5 cores256 MB256 MB3260s
Restricted1.0 core512 MB512 MB64120s
Standard2.0 cores1 GB2 GB128300s
Elevated4.0 cores4 GB8 GB256600s
Unrestrictedunlimitedunlimitedunlimitedunlimited1800s

Network access is a flat, per-config setting (on/off), not tied to these tiers.