defenseclaw-gateway sandbox — DefenseClaw

Overview

defenseclaw-gateway sandbox — Manage the openshell-sandbox instance.

Reference

Synopsis

sandbox

Subcommands

Description

Manage the openshell-sandbox standalone instance.

These are convenience wrappers around systemd. The sandbox and sidecar are independent systemd services grouped by defenseclaw-sandbox.target.

defenseclaw-gateway sandbox exec

Synopsis

exec -- <command> [args...]

Description

Run a command as the sandbox user on the host.

By default, runs via 'sudo -u sandbox <command>' on the host filesystem. The sandbox home directory is shared (Landlock restricts, doesn't overlay), so all changes persist.

Use --netns to run inside the sandbox's network namespace (for debugging).

Flags

defenseclaw-gateway sandbox policy

Synopsis

policy diff

Description

Check which endpoints required by OpenClaw's configured channels and providers are covered by the active OpenShell sandbox network policy.

Reads openclaw.json to discover required endpoints, then checks each one against the active policy YAML. Reports missing entries.

defenseclaw-gateway sandbox restart

Synopsis

restart

Description

Restart the sandbox (sidecar reconnects automatically)

defenseclaw-gateway sandbox shell

Synopsis

shell

Description

Open an interactive shell as the sandbox user

defenseclaw-gateway sandbox start

Synopsis

start

Description

Start the sandbox and sidecar via systemd

defenseclaw-gateway sandbox status

Synopsis

status

Description

Show sandbox and sidecar systemd status

defenseclaw-gateway sandbox stop

Synopsis

stop

Description

Stop the sandbox and sidecar via systemd

Usage

Concrete invocation recipes are added by the cli-commands subagents. Pair this with the equivalent Python wrapper command under Python CLI — most gateway operations are also available one layer up.

Related

• Gateway CLI overview
• Python CLI