Docs
Gateway service runbook
Sandbox vs Tool Policy vs Elevated

Sandbox vs Tool Policy vs Elevated

Scope

This page is a placeholder generated from the official source file structure.

What to verify

  • TODO: Add prerequisites and validation checklist.

Outline (from official headings)

  • Quick debug
  • Sandbox: where tools run
  • Bind mounts (security quick check)
  • Tool policy: which tools exist/are callable
  • Tool groups (shorthands)
  • Elevated: exec-only “run on host”
  • Common “sandbox jail” fixes
  • “Tool X blocked by sandbox tool policy”
  • “I thought this was main, why is it sandboxed?”

Further reading

  • Official source file: gateway/sandbox-vs-tool-policy-vs-elevated.md
Running Clawdbot.app with a Remote GatewaySandboxing