#8137: feat: openclaw-env hardened sandbox generator (MVP)
stale
Cluster:
Docker and Deployment Improvements
## Summary
- Add `openclaw-env` CLI (`packages/openclaw-env`) to generate per-workspace hardened Docker Compose sandboxes for OpenClaw.
- Enforces least-privilege defaults: non-root, read-only rootfs, no-new-privileges, cap-drop-all, tmpfs.
- Supports network modes: off, full, and restricted (restricted uses an egress-proxy with domain allowlist; openclaw has no direct egress).
- Supports secrets modes: none, env_file, docker_secrets (name+file).
## Test plan
- `pnpm -C packages/openclaw-env build`
- `pnpm -C packages/openclaw-env test`
- Manual e2e: `openclaw-env init/print/up/down` + restricted allowlist proxy checks (CONNECT allow/deny + deny logging).
<!-- greptile_comment -->
<h2>Greptile Overview</h2>
<h3>Greptile Summary</h3>
This PR adds a new `packages/openclaw-env` CLI that generates and runs per-workspace hardened Docker Compose sandboxes for OpenClaw. It introduces config schema/loading, a compose generator (including an optional restricted-network egress proxy with allowlist), safety evaluation warnings, and `init/print/up/down` commands.
Key concern: `up` currently computes `requires_confirmation` findings (e.g., full egress + writable mounts) but does not enforce them, so `--yes` can bypass the intended acknowledgement step. There are also a couple of determinism/usability issues around safety checks depending on `process.cwd()` and the proxy allowlist only being read at startup.
<h3>Confidence Score: 3/5</h3>
- Moderately safe to merge, but fix the safety gating inconsistency first.
- Most changes are additive and well-scoped, but `up` currently ignores the `requires_confirmation` class of safety findings, which can undermine the tool’s intended guardrails (especially with `--yes`). Root-path detection depending on `process.cwd()` can also make safety evaluation inconsistent.
- packages/openclaw-env/src/commands/up.ts; packages/openclaw-env/src/security/warnings.ts
<!-- greptile_other_comments_section -->
<sub>(2/5) Greptile learns from your feedback when you react with thumbs up/down!</sub>
<!-- /greptile_comment -->
Most Similar PRs
#7133: feat: Automated Docker setup with environment-based configuration
by synetalsolutions · 2026-02-02
80.6%
#6698: feat: Add CLI wrapper for Docker integration and update documentation
by barshopen · 2026-02-01
78.7%
#8821: Security: Holistic capability-based sandbox (replaces pattern-match...
by tonioloewald · 2026-02-04
78.0%
#15466: Vps setup merge
by tsekula · 2026-02-13
78.0%
#9190: feat(docker): Add autonomous container self-restart and runtime pac...
by alexdredmon · 2026-02-05
77.1%
#15757: feat(security): add hardening gap audit checks
by saurabhsh5 · 2026-02-13
76.9%
#8050: fix: docker hardening
by christopherbarnett96 · 2026-02-03
76.7%
#11553: feat(docker): add sandbox browser service and documentation
by dangphdh · 2026-02-08
76.4%
#23313: feat(docker): add optional build-arg OPENCLAW_INSTALL_DOCKER_CLI to...
by zhuxuwei88-bot · 2026-02-22
75.5%
#13873: fix(sandbox): prevent Windows PATH from poisoning docker exec
by alessandrorodi · 2026-02-11
74.9%