Feat: Built-in Automatic Sandbox Setup for Supported Agents

[christso]

Problem

CLI coding agents execute arbitrary code, so running them sandboxed is a best practice for security.

Proposal

Add native support for automatically setting up isolated sandboxes when installing/running agents.

Key Benefits

• One-click secure execution: Leverage Docker Desktop's docker sandbox run for officially supported agents (e.g., Claude Code, Gemini CLI).
• Fallback to custom/community images for others (e.g., OpenCode — many manual Docker setups already exist in the community).
• Optional flags/config in AllAgents CLI (e.g., --sandbox or YAML workspace setting) to enable hardened containers with auto-mounting of the current repo, capability drops, read-only where possible, and approval workflows.
• Aligns perfectly with AllAgents' git-friendly, declarative approach — sandbox configs could be stored in the workspace repo.

This would make AllAgents the safest and most convenient way to run multi-agent coding workflows, reducing friction for users concerned about security.

References

• Docker Sandboxes docs: https://docs.docker.com/ai/sandboxes/
• Example community OpenCode sandbox: (link to any public Dockerfile if you have one)