Upgrading from Docker-Only Sandboxing to SafeClaw

2026-02-09 · Authensor

Docker-only sandboxing limits the blast radius of AI agent failures but does not prevent harmful actions within the container. SafeClaw by Authensor adds the missing layer: deny-by-default action gating that controls what your agent can do inside the sandbox, not just where it can do it. Install it with npx @authensor/safeclaw to upgrade from container isolation to complete agent safety.

What Docker Gives You (and What It Does Not)

Docker containers provide valuable isolation:

File system isolation: The agent cannot access the host file system directly
Network isolation: Network policies can restrict external access
Resource limits: CPU, memory, and disk constraints prevent runaway consumption
Process isolation: The agent cannot interfere with host processes

But Docker does not control what the agent does within the container:

An agent can still delete all files inside the container, destroying its working directory and any mounted volumes
An agent can still exfiltrate data through any allowed network endpoint
An agent can still execute arbitrary shell commands within the container
An agent can still consume all allocated resources without granular control
An agent can still write to mounted volumes that may contain shared data
There is no action-level audit trail of what the agent actually did

Docker answers the question "where can the agent operate?" but not "what can the agent do?" SafeClaw answers the second question.

The Layered Security Model

Docker and SafeClaw are complementary, not competing. The strongest safety posture uses both:

[ Agent Logic ]
      |
[ SafeClaw: Action-level gating ]  <-- What can the agent do?
      |
[ Docker: Container isolation ]     <-- Where can the agent operate?
      |
[ Host System ]

SafeClaw gates every action request before execution. Docker contains the execution environment. Together, they provide defense in depth.

Step-by-Step Upgrade

Step 1: Install SafeClaw Inside Your Container

Add SafeClaw to your Dockerfile or install it at runtime:

# In your Dockerfile
RUN npx @authensor/safeclaw

Or install at runtime:

npx @authensor/safeclaw

Step 2: Audit Your Container's Action Surface

Run SafeClaw in simulation mode inside the container to observe what your agent actually does:

safeclaw.init({
  mode: 'simulation',
  audit: true
});

You may discover that your agent performs actions you did not expect, actions that Docker alone does not prevent.

Step 3: Define Deny-by-Default Policies

Based on the simulation audit, write policies for what the agent should be allowed to do within the container:

rules:
  - action: "file:read"
    path: "/workspace/**"
    effect: "allow"
  - action: "file:write"
    path: "/workspace/output/**"
    effect: "allow"
  - action: "shell:execute"
    command: "python *.py"
    effect: "allow"
  - action: "network:request"
    host: "api.approved-service.com"
    effect: "allow"
  # Everything else denied by default

Step 4: Correlate Docker and SafeClaw Policies

Ensure your SafeClaw policies and Docker configuration are aligned:

| Layer | Control | Example |
|---|---|---|
| Docker network | Which hosts are reachable | Only api.example.com on port 443 |
| SafeClaw network | Which requests are permitted | Only GET requests to /api/data |
| Docker volumes | Which paths are mounted | Only /workspace mounted read-write |
| SafeClaw file | Which file operations are allowed | Only writes to /workspace/output/ |

SafeClaw provides granular control within the boundaries Docker establishes.

Step 5: Enable Enforcement and Audit

Switch to enforcement mode with hash-chained audit logging:

safeclaw.init({
  mode: 'enforce',
  policy: './safeclaw-policy.yaml',
  audit: true
});

Now your agent operates in a container with both environmental isolation (Docker) and behavioral control (SafeClaw). The audit trail records every action for compliance and debugging.

Real-World Example: The Mounted Volume Problem

A common Docker pattern mounts a host directory as a volume for the agent to work with. Docker provides no control over what the agent does inside that volume. Without SafeClaw:

Agent can rm -rf /workspace/* and destroy all project files
Agent can read .env files containing secrets
Agent can modify package.json to add malicious dependencies

With SafeClaw's deny-by-default policies, each of these actions is blocked unless explicitly allowed. The agent can only read and write to the specific paths your policy defines.

Performance Considerations

SafeClaw adds negligible overhead inside a container. The policy engine evaluates action requests in memory with no external calls. For containerized deployments where latency matters, SafeClaw's zero-dependency, in-process architecture is ideal.

Related reading:

Migration Guide: Adding SafeClaw to an Existing AI Agent

SafeClaw Compared: How It Stacks Up Against Every Alternative

SafeClaw Features: Everything You Get Out of the Box

The Complete Guide to AI Agent Safety (2026)

Try SafeClaw

Action-level gating for AI agents. Set it up in your browser in 60 seconds.

$ npx @authensor/safeclaw