← Back to PRs

#23400: Onboarding: set sandbox defaults when Docker is available

by bmendonca3 open 2026-02-22 08:53 View on GitHub →
commands size: S trusted-contributor
## Summary - add Docker availability detection to onboarding flows - apply secure sandbox defaults during local onboarding when Docker is available: - `agents.defaults.sandbox.mode = "non-main"` - `agents.defaults.sandbox.workspaceAccess = "none"` - preserve existing explicit sandbox settings instead of overwriting them - print clear opt-out instructions during onboarding - add unit tests for onboarding config defaults and update wizard mocks ## Testing - pnpm test src/commands/onboard-config.test.ts src/commands/onboard-interactive.test.ts src/wizard/onboarding.test.ts - pnpm test:e2e src/commands/onboard-non-interactive.gateway.e2e.test.ts <!-- greptile_comment --> <h3>Greptile Summary</h3> Adds Docker detection to onboarding flows and applies secure sandbox defaults (`agents.defaults.sandbox.mode = "non-main"` and `agents.defaults.sandbox.workspaceAccess = "none"`) when Docker is available. The implementation correctly preserves existing explicit sandbox settings using the nullish coalescing operator, ensuring user preferences are not overwritten. Clear opt-out instructions are displayed during onboarding. **Key changes:** - Added `detectDockerSandboxAvailability()` helper that checks both Docker binary presence and server availability - Modified `applyOnboardingLocalWorkspaceConfig()` to accept optional `enableSandboxDefaults` parameter - Updated both interactive wizard and non-interactive onboarding flows to detect Docker and apply defaults - Added comprehensive unit tests covering all scenarios (Docker available, unavailable, and preserving explicit settings) - Updated wizard mocks to include the new Docker detection helper <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk - The implementation is clean, well-tested, and follows defensive programming practices. It correctly uses the nullish coalescing operator to preserve existing settings, includes comprehensive test coverage for all scenarios (defaults applied, settings preserved, Docker unavailable), and provides clear user messaging. The Docker detection is properly scoped with timeout protection and test environment guards. - No files require special attention <sub>Last reviewed commit: aa1af4d</sub> <!-- greptile_other_comments_section --> <!-- /greptile_comment -->

Most Similar PRs