Security & Sandboxing

Locus can run AI agents inside Docker Desktop sandboxes (Docker 4.58+). This page covers the security model: what is protected, what is not, and how to configure it.

Why Sandboxing

AI agents in full-auto mode have unrestricted filesystem access. Without sandboxing, an agent can read .env files, API keys, cloud credentials, and any other file on your machine.

Threat Model

Risks sandboxing addresses:

• AI agent reads host secrets from local files

• AI agent accesses host-level credentials or system paths

• Sensitive files unintentionally included in model context

Risks you still need to manage:

• --no-sandbox removes all sandbox protections

• Secrets committed to tracked files are visible in the synced workspace

• Misconfigured .sandboxignore rules can re-include sensitive files

Default Secret Protection

When you run locus init, Locus generates a .sandboxignore with secure defaults:

These files are excluded from sandbox execution by default. !.env.example is re-included for template use.

.sandboxignore Syntax

Uses .gitignore-style pattern rules:

Example:

Unsafe patterns to avoid:

• !.env -- re-includes production env files

• !*.pem -- re-includes private keys

• Removing cloud credential directory exclusions

Sandbox Modes

Sync Boundaries

• Scope: Active project workspace is synced between host and sandbox

• Direction: Bidirectional -- changes from sandboxed execution come back to your workspace

• Timing: Sync occurs during command execution; .sandboxignore is enforced before agent steps

• Exclusions: Files matching .sandboxignore patterns are removed from sandbox visibility

Team Security Checklist

• Docker Desktop 4.58+ is installed and docker sandbox ls succeeds

• CI and automations use --sandbox=require to block insecure fallback

• .sandboxignore is version-controlled with .env, credential, and cloud config exclusions

• .env.example contains placeholders only (no real secrets)

• Real secrets are in secret managers, not tracked files

• Team reviews .sandboxignore changes as security-sensitive

Troubleshooting

"Docker sandbox not available"

Docker Desktop is missing or below 4.58. Upgrade and verify:

"Docker is not responding"

Start Docker Desktop, wait for initialization, then:

File sync delays

Large files or high-frequency writes can cause visible sync latency. Keep large generated artifacts out of active execution loops.

Customization Hooks

Locus provides two optional hook scripts in .locus/ for sandbox customization:

Neither script runs during automated AI agent execution (locus run, locus exec). See locus sandbox for full details and examples.

Related Docs

• Sandboxing Setup

• Auto-Approval Mode

• locus sandbox