openclaw - 💡(How to fix) Fix sandbox.mode "non-main" semantics: per-session, not per-agent — counter-intuitive for "main-agent-only" use case [1 participants]

Summary

agents.defaults.sandbox.mode = "non-main" reads as "non-main agents are sandboxed", but the actual logic in runtime-status.ts treats it per-session, not per-agent. Since every agent has its own main session, "non-main" mode causes every agent's primary conversation (including dynamic peer agents) to bypass sandbox, leaving only sub-sessions / sub-agents inside the sandbox.

This makes the common ops pattern "let admin's main agent run on host for speed, but keep peer/dynamic agents sandboxed for isolation" not directly expressible — it requires a verbose agents.list[] per-agent override.

Code reference

dist/runtime-status-CiCXoPFR.js:9-12 (≡ src/agents/sandbox/runtime-status.ts):

function shouldSandboxSession(cfg, sessionKey, mainSessionKey) {
    if (cfg.mode === "off") return false;
    if (cfg.mode === "all") return true;
    return sessionKey.trim() !== mainSessionKey.trim();   // "non-main"
}

mainSessionKey is resolved per-agent via resolveAgentMainSessionKey({cfg, agentId}), so for any agent, its own main session matches and bypasses sandbox.

Reproduction

Setup: agents.defaults.sandbox.mode = "non-main", with one main agent (admin DM) and one dynamic feishu-ou_<peer> agent (auto-created via channels.feishu.dynamicAgentCreation).

Result:

The third row breaks the expectation: peer-facing agents lose sandbox isolation on their primary path.

Real use case this blocks

Single-admin VPS deployment where:

• Admin (main agent) wants fast DM responses → sandbox bypass acceptable (trusted)
• External users via dynamic peer agents (feishu-ou_*, wecom-ou_*) → must stay sandboxed (untrusted)

"non-main" does the opposite of what the name suggests for this case. There is no single mode value that expresses it.

Workarounds (verified working)

Per-agent override works, but is verbose and requires duplicating workspace/agentDir paths that defaults would otherwise resolve:

```json { "agents": { "defaults": { "sandbox": { "mode": "all" } }, "list": [ { "id": "main", "workspace": "/home/openclaw/.openclaw/workspace-main", "agentDir": "/home/openclaw/.openclaw/agents/main/agent", "sandbox": { "mode": "off" } } ] } } ```

Verified on `openclaw 2026.4.23` running as a system service on Debian:

• main DM: `dispatching to agent (session=agent:main:main)` → no `docker exec`, host-direct, ~5s overhead
• peer DM: `docker exec -i openclaw-sbx-agent-feishu-...` confirmed in journal, sandbox path intact

Proposed fixes (any one would help)

1. Add a `"main-agent-only"` (or `"main-agent"`) mode with semantics "only the `main` agent bypasses sandbox; every other agent — including their main sessions — runs in sandbox": ```js if (cfg.mode === "main-agent-only") return resolveSessionAgentId(sessionKey) !== "main"; ```
2. Rename `"non-main"` → `"non-main-session"` to make session-vs-agent scope explicit (with backward-compat alias).
3. Documentation for `agents.defaults.sandbox.mode`: explicitly call out that `"non-main"` is per-session, and link to the `agents.list[].sandbox` per-agent override pattern as the canonical "main-agent-only" recipe.

(1) is what most users likely want when they read "non-main" today; (2)+(3) are the lower-effort path.

Happy to send a PR for (1) if there's interest.