resolveSandboxDefault decides whether the sandbox path should be taken when the user did not pass --sandbox on the CLI. The first source that declares sandbox: true wins; in priority order: 1. an alias entry (`docker agent alias add ... --sandbox`); 2. the agent's own `runtime.sandbox: true`. Call
(ctx context.Context, agentRef string, current bool)
| 43 | // runInSandbox can reuse it without paying the resolve+load cost a |
| 44 | // second time. cfg is nil when agentRef is empty or fails to load. |
| 45 | func resolveSandboxDefault(ctx context.Context, agentRef string, current bool) (bool, *latestcfg.Config) { |
| 46 | if agentRef == "" { |
| 47 | return current, nil |
| 48 | } |
| 49 | cfg := loadAgentConfig(ctx, agentRef) |
| 50 | if current { |
| 51 | return current, cfg |
| 52 | } |
| 53 | if alias := config.ResolveAlias(agentRef); alias != nil && alias.Sandbox { |
| 54 | return true, cfg |
| 55 | } |
| 56 | return cfg != nil && cfg.Runtime != nil && cfg.Runtime.Sandbox, cfg |
| 57 | } |
| 58 | |
| 59 | // agentNetworkAllowlist returns the hostnames the agent declared in |
| 60 | // runtime.network_allowlist. Entries with embedded commas or |