From 4db910698a56560a9977e2fbe2261a568e0d79dc Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Sat, 4 Apr 2026 18:39:12 +0100 Subject: [PATCH] docs: refresh sandbox and security elevated refs --- docs/gateway/background-process.md | 2 +- docs/gateway/sandboxing.md | 6 +++--- docs/gateway/security/index.md | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/gateway/background-process.md b/docs/gateway/background-process.md index f9e328f0386..3dbb4474ff5 100644 --- a/docs/gateway/background-process.md +++ b/docs/gateway/background-process.md @@ -18,7 +18,7 @@ Key parameters: - `yieldMs` (default 10000): auto‑background after this delay - `background` (bool): background immediately - `timeout` (seconds, default 1800): kill the process after this timeout -- `elevated` (bool): run on host if elevated mode is enabled/allowed +- `elevated` (bool): run outside the sandbox if elevated mode is enabled/allowed (`gateway` by default, or `node` when the exec target is `node`) - Need a real TTY? Set `pty: true`. - `workdir`, `env` diff --git a/docs/gateway/sandboxing.md b/docs/gateway/sandboxing.md index 5752fba41a0..963e521b75b 100644 --- a/docs/gateway/sandboxing.md +++ b/docs/gateway/sandboxing.md @@ -32,8 +32,8 @@ and process access when the model does something dumb. Not sandboxed: - The Gateway process itself. -- Any tool explicitly allowed to run on the host (e.g. `tools.elevated`). - - **Elevated exec runs on the host and bypasses sandboxing.** +- Any tool explicitly allowed to run outside the sandbox (e.g. `tools.elevated`). + - **Elevated exec bypasses sandboxing and uses the configured escape path (`gateway` by default, or `node` when the exec target is `node`).** - If sandboxing is off, `tools.elevated` does not change execution (already on host). See [Elevated Mode](/tools/elevated). ## Modes @@ -429,7 +429,7 @@ Common pitfalls: Tool allow/deny policies still apply before sandbox rules. If a tool is denied globally or per-agent, sandboxing doesn’t bring it back. -`tools.elevated` is an explicit escape hatch that runs `exec` on the host. +`tools.elevated` is an explicit escape hatch that runs `exec` outside the sandbox (`gateway` by default, or `node` when the exec target is `node`). `/exec` directives only apply for authorized senders and persist per session; to hard-disable `exec`, use tool policy deny (see [Sandbox vs Tool Policy vs Elevated](/gateway/sandbox-vs-tool-policy-vs-elevated)). diff --git a/docs/gateway/security/index.md b/docs/gateway/security/index.md index 5e036cfd11b..4f7f767f0df 100644 --- a/docs/gateway/security/index.md +++ b/docs/gateway/security/index.md @@ -1107,7 +1107,7 @@ Also consider agent workspace access inside the sandbox: - `agents.defaults.sandbox.workspaceAccess: "ro"` mounts the agent workspace read-only at `/agent` (disables `write`/`edit`/`apply_patch`) - `agents.defaults.sandbox.workspaceAccess: "rw"` mounts the agent workspace read/write at `/workspace` -Important: `tools.elevated` is the global baseline escape hatch that runs exec on the host. Keep `tools.elevated.allowFrom` tight and don’t enable it for strangers. You can further restrict elevated per agent via `agents.list[].tools.elevated`. See [Elevated Mode](/tools/elevated). +Important: `tools.elevated` is the global baseline escape hatch that runs exec outside the sandbox. The effective host is `gateway` by default, or `node` when the exec target is configured to `node`. Keep `tools.elevated.allowFrom` tight and don’t enable it for strangers. You can further restrict elevated per agent via `agents.list[].tools.elevated`. See [Elevated Mode](/tools/elevated). ### Sub-agent delegation guardrail