#23400: Onboarding: set sandbox defaults when Docker is available
commands
size: S
trusted-contributor
Cluster:
Sandbox Enhancements and Fixes
## Summary
- add Docker availability detection to onboarding flows
- apply secure sandbox defaults during local onboarding when Docker is available:
- `agents.defaults.sandbox.mode = "non-main"`
- `agents.defaults.sandbox.workspaceAccess = "none"`
- preserve existing explicit sandbox settings instead of overwriting them
- print clear opt-out instructions during onboarding
- add unit tests for onboarding config defaults and update wizard mocks
## Testing
- pnpm test src/commands/onboard-config.test.ts src/commands/onboard-interactive.test.ts src/wizard/onboarding.test.ts
- pnpm test:e2e src/commands/onboard-non-interactive.gateway.e2e.test.ts
<!-- greptile_comment -->
<h3>Greptile Summary</h3>
Adds Docker detection to onboarding flows and applies secure sandbox defaults (`agents.defaults.sandbox.mode = "non-main"` and `agents.defaults.sandbox.workspaceAccess = "none"`) when Docker is available. The implementation correctly preserves existing explicit sandbox settings using the nullish coalescing operator, ensuring user preferences are not overwritten. Clear opt-out instructions are displayed during onboarding.
**Key changes:**
- Added `detectDockerSandboxAvailability()` helper that checks both Docker binary presence and server availability
- Modified `applyOnboardingLocalWorkspaceConfig()` to accept optional `enableSandboxDefaults` parameter
- Updated both interactive wizard and non-interactive onboarding flows to detect Docker and apply defaults
- Added comprehensive unit tests covering all scenarios (Docker available, unavailable, and preserving explicit settings)
- Updated wizard mocks to include the new Docker detection helper
<h3>Confidence Score: 5/5</h3>
- This PR is safe to merge with minimal risk
- The implementation is clean, well-tested, and follows defensive programming practices. It correctly uses the nullish coalescing operator to preserve existing settings, includes comprehensive test coverage for all scenarios (defaults applied, settings preserved, Docker unavailable), and provides clear user messaging. The Docker detection is properly scoped with timeout protection and test environment guards.
- No files require special attention
<sub>Last reviewed commit: aa1af4d</sub>
<!-- greptile_other_comments_section -->
<!-- /greptile_comment -->
Most Similar PRs
#7826: feat(sandbox): add Docker Sandboxes (microVM) as alternative backend
by HODL-Community · 2026-02-03
79.2%
#9657: fix(doctor): warn when sandbox mode enabled without Docker
by mcaxtr · 2026-02-05
78.8%
#4226: Fix/sandbox containerworkdir rw access
by ozgur-polat · 2026-01-29
78.4%
#7851: feat: secure sandbox defaults for new installs
by ichbinlucaskim · 2026-02-03
77.8%
#20991: fix(sandbox): fall back to gateway UID:GID when no user is configur...
by cluster2600 · 2026-02-19
77.6%
#8186: fix(sandbox): validate setupCommand to prevent shell injection
by yubrew · 2026-02-03
76.2%
#11878: fix: add missing error handler to execDocker child process
by Yida-Dev · 2026-02-08
75.2%
#11820: fix(sandbox): remap container paths in sandboxed file tools
by steflsd · 2026-02-08
75.2%
#17402: fix:sandbox path issue
by luckylhb90 · 2026-02-15
75.0%
#13873: fix(sandbox): prevent Windows PATH from poisoning docker exec
by alessandrorodi · 2026-02-11
75.0%