Skip to main content

Sandbox isolation and security

Agenta runs agent code in a sandbox. A self-hosted deployment picks the sandbox provider: a Daytona cloud sandbox, or a local run inside the runner container. The two give different isolation, so the choice decides whether it is safe to let other people run agents on your deployment.

Daytona isolates every run. Local runs do not isolate agents from each other or from the runner. Enable providers with AGENTA_RUNNER_ENABLED_SANDBOX_PROVIDERS; see Runner and sandbox configuration for the syntax and Run agents in a cloud sandbox (Daytona) for the Daytona setup.

Daytona

The boundary

Each run gets its own cloud sandbox: a separate machine with its own filesystem, processes, and environment. Agent code in a Daytona run cannot read the runner container's filesystem, its process environment, or the working directory of another run.

What crosses into a Daytona sandbox

ValueCrosses in
The model key for the runYes. The harness needs it to call the model.
The run's own working directoryYes, mounted from the durable store.
The runner's Daytona API keyNo. It stays on the runner.
The runner's other environment variablesNo.
A mounted personal subscription loginNo. It never leaves the runner container.

What Daytona runs share with each other

Nothing. Each run gets its own sandbox, so one user's agent cannot see another user's agent, its files, or its model key. Sandboxes are reused across the turns of one session only.

When to use it

Use Daytona when more than one person can start runs on the deployment, or when the deployment is reachable by people you do not fully trust. See Run agents in a cloud sandbox (Daytona).

Local runs

The boundary

A local run executes the harness inside the runner container. The container is a boundary against the host: agent code cannot read files, environment variables, or executables outside the container unless you mounted them into it. Mounting a host directory into the runner (a repository worktree, a subscription login) puts it inside that boundary and inside reach of every local run.

What crosses into a local run

ValueCrosses in
The model key for the runYes. The harness needs it to call the model.
The run's own working directoryYes.
The runner container's environmentYes, including AGENTA_RUNNER_TOKEN and, when it is set, AGENTA_RUNNER_DAYTONA_API_KEY.
Anything you mounted into the runner containerYes, including a personal subscription login.
Anything on the host you did not mountNo.

What local runs share with each other

Every local run executes in the same runner container. Agents in that container share its filesystem, so one agent can read the working directory of another agent running at the same time. They also share the container's environment and its mounts.

Local runs are not isolated from each other

On a multi-user deployment, one user's agent can read another user's agent files, the runner's environment variables (including the Daytona API key and the runner token), and any credential you mounted into the runner. Enable daytona for multi-user deployments.

When to use it

Use local runs on a deployment you run for yourself or for a team that already trusts each other with the same data. They need no cloud account, and they are the only runs that can authenticate a harness with a personal subscription login. Constrain what an agent may do inside the container with the agent's own tool permissions. See Run agents locally.

Next