Docker Sandbox transport for isolated agent execution #1
Description
Summary
Add a docker-sandbox transport (or sandbox: true option on existing handlers) that runs agents inside Docker Sandboxes — microVM-based isolation that's a step above plain containers.
Why
Society's trust model means agents run with full autonomy (--dangerously-skip-permissions, --full-auto, etc.). Docker Sandboxes add defense-in-depth: agents still trust each other, but their blast radius is contained. Each agent gets its own microVM with a private Docker daemon, network isolation (allow/deny lists), and workspace-only filesystem access.
How it could work
Docker Sandbox supports stdin/stdout piping via docker sandbox exec -i, which fits naturally into Society's exec/stdio patterns:
society send sandboxed-claude "do something"
→ docker sandbox exec -i my-claude -- claude -p --output-format json
→ pipes A2A JSON-RPC via stdin, reads response from stdout
Supported agents: claude, codex, copilot, gemini, kiro, opencode, shell.
Integration angles:
- New
docker-sandboxtransport — like ssh-exec but runs inside a sandbox sandbox: trueon existing handlers — daemon optionally starts agents in sandboxes- Useful for local/stdio setups — not just remote machines
Limitation
Requires Docker Desktop (macOS/Windows). Docker Sandboxes use Docker's microVM infrastructure which is not available on headless Linux servers. This means it would primarily be a feature for machines running Docker Desktop.