| Name | Type |
|---|---|
| command_timeout | float |
| startup_timeout | float |
| termination_timeout | float |
| max_output_lines | int |
| max_output_bytes | int | None |
| binary | str |
| image | str |
| remove_container_on_exit | bool |
| network_enabled | bool |
| extra_run_args | Sequence[str] | None |
| memory_bytes | int | None |
| cpu_time_seconds | typing.Any | None |
| cpus | str | None |
| read_only_rootfs | bool |
| user | str | None |
Run the shell inside a dedicated Docker container.
Choose this policy when commands originate from untrusted users or you require
strong isolation between sessions. By default the workspace is bind-mounted only
when it refers to an existing non-temporary directory; ephemeral sessions run
without a mount to minimise host exposure. The container's network namespace is
disabled by default (--network none) and you can enable further hardening via
read_only_rootfs and user.
The security guarantees depend on your Docker daemon configuration. Run the agent on
a host where Docker is locked down (rootless mode, AppArmor/SELinux, etc.) and
review any additional volumes or capabilities passed through extra_run_args. The
default image is python:3.12-alpine3.19; supply a custom image if you need
preinstalled tooling.
