declaw sandbox (alias declaw sb) is the core command group for working with sandboxes. Global flags (--api-key, --domain, --json) apply to every subcommand.
create
Create a new sandbox.Core flags
| Flag | Short | Default | Description |
|---|---|---|---|
--template | -t | base | Template to boot from |
--timeout | 300 | Lifetime in seconds before automatic destruction | |
--env | -e | Env var KEY=VALUE, or bare KEY to forward the value from your shell. Repeatable | |
--vault-ref | Vault-backed env ENV_VAR=secret-name. The VM gets a placeholder; the real secret is injected at the egress proxy. Repeatable | ||
--metadata | Arbitrary KEY=VALUE metadata. Repeatable | ||
--volume | Attach a volume: VOLUME_ID:MOUNT_PATH[:MODE[:SUBPATH]]. MODE is copy (default), mount, or mount-ro; SUBPATH is live-mount only. Repeatable | ||
--secure | true | Enable the security pipeline |
Security policy flags
These compose into a single security policy applied to the sandbox. See Security overview for the concepts behind them.| Flag | Default | Description |
|---|---|---|
--injection-domain | Restrict prompt-injection scanning to these egress hosts (exact, *.suffix, or ~regex). With no hosts listed, no scanning runs. Repeatable | |
--injection-full | false | Enable the full prompt-injection defense cascade |
--injection-mode | balanced | Detection posture: strict, balanced, permissive, agentic-tool, or data-egress-sensitive |
--injection-policy | Natural-language description of allowed agent behavior | |
--injection-always-judge | false | Run the deeper judge on every outbound request |
--content-gate-domains | Enable the content gate and restrict it to these hosts | |
--opa-policy | Path to a .rego file to apply as an inline policy | |
--opa-policy-module | Path to a .rego file added as an independent module. Repeatable | |
--opa-policy-ref | Pre-published bundle ref: name@version, sha256:<hex>, or blob:<key> | |
--opa-fail-closed | false | Deny requests if the policy evaluator is unreachable (default is fail-open) |
list
List your sandboxes (aliasls).
| Flag | Default | Description |
|---|---|---|
--state | Filter by state: live, paused, or killed | |
--limit | 0 | Maximum rows to return |
--offset | 0 | Pagination offset |
info
Show details for one sandbox (ID, template, state, name, start/end time, metadata).kill
Destroy one or more sandboxes.pause / resume
Pause a running sandbox (freeing compute) and resume it later from where it left off.exec
Run a command inside a sandbox. Use-- to separate the command from CLI flags. Output streams live; the command’s exit code is propagated.
| Flag | Short | Default | Description |
|---|---|---|---|
--cwd | Working directory for the command | ||
--user | User to run as | ||
--timeout | 60 | Command timeout in seconds | |
--env | -e | Env var KEY=VALUE for this command. Repeatable |
--json, output is buffered and printed as {exit_code, stdout, stderr}.
connect
Open an interactive terminal (PTY) into a sandbox, sized to your local terminal and resized on window changes. Disconnect withCtrl-D or exit.
files
Transfer and list files in a running sandbox.| Subcommand | Args | Notes |
|---|---|---|
files ls <sandbox-id> <path> | sandbox + directory | Lists entries with type and size |
files read <sandbox-id> <path> | sandbox + remote path | Prints to stdout, or --output/-o writes to a local file |
files write <sandbox-id> <remote> <local> | sandbox + remote + local | Uploads a local file |
Next steps
- Volume commands — attach and manage data volumes
- Vault commands — inject secrets without putting them in the VM
- Security overview — what the policy flags configure