> ## Documentation Index
> Fetch the complete documentation index at: https://docs.declaw.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Sandbox Commands

> Create, inspect, exec into, connect to, and manage Declaw sandboxes from the command line with declaw sandbox.

`declaw sandbox` (alias `declaw sb`) is the core command group for working with sandboxes. Global flags (`--api-key`, `--domain`, `--json`) apply to every subcommand.

## create

Create a new sandbox.

```bash theme={null}
declaw sandbox create --template python --timeout 600 --env OPENAI_API_KEY
```

### Core flags

| Flag          | Short | Default | Description                                                                                                                                            |
| ------------- | ----- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `--template`  | `-t`  | `base`  | Template to boot from                                                                                                                                  |
| `--timeout`   |       | `300`   | Lifetime in seconds before automatic destruction                                                                                                       |
| `--env`       | `-e`  |         | Env var `KEY=VALUE`, or bare `KEY` to forward the value from your shell. Repeatable                                                                    |
| `--vault-ref` |       |         | Vault-backed env `ENV_VAR=secret-name`. The VM gets a placeholder; the real secret is injected at the egress proxy. Repeatable                         |
| `--metadata`  |       |         | Arbitrary `KEY=VALUE` metadata. Repeatable                                                                                                             |
| `--volume`    |       |         | Attach a volume: `VOLUME_ID:MOUNT_PATH[:MODE[:SUBPATH]]`. `MODE` is `copy` (default), `mount`, or `mount-ro`; `SUBPATH` is live-mount only. Repeatable |
| `--secure`    |       | `true`  | Enable the security pipeline                                                                                                                           |

### Security policy flags

These compose into a single security policy applied to the sandbox. See [Security overview](/security/overview) for the concepts behind them.

| Flag                       | Default    | Description                                                                                                                                   |
| -------------------------- | ---------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
| `--injection-domain`       |            | Restrict prompt-injection scanning to these egress hosts (exact, `*.suffix`, or `~regex`). With no hosts listed, no scanning runs. Repeatable |
| `--injection-full`         | `false`    | Enable the full prompt-injection defense cascade                                                                                              |
| `--injection-mode`         | `balanced` | Detection posture: `strict`, `balanced`, `permissive`, `agentic-tool`, or `data-egress-sensitive`                                             |
| `--injection-policy`       |            | Natural-language description of allowed agent behavior                                                                                        |
| `--injection-always-judge` | `false`    | Run the deeper judge on every outbound request                                                                                                |
| `--content-gate-domains`   |            | Enable the content gate and restrict it to these hosts                                                                                        |
| `--opa-policy`             |            | Path to a `.rego` file to apply as an inline policy                                                                                           |
| `--opa-policy-module`      |            | Path to a `.rego` file added as an independent module. Repeatable                                                                             |
| `--opa-policy-ref`         |            | Pre-published bundle ref: `name@version`, `sha256:<hex>`, or `blob:<key>`                                                                     |
| `--opa-fail-closed`        | `false`    | Deny requests if the policy evaluator is unreachable (default is fail-open)                                                                   |

## list

List your sandboxes (alias `ls`).

```bash theme={null}
declaw sandbox list --state live --limit 20
```

| Flag       | Default | Description                                    |
| ---------- | ------- | ---------------------------------------------- |
| `--state`  |         | Filter by state: `live`, `paused`, or `killed` |
| `--limit`  | `0`     | Maximum rows to return                         |
| `--offset` | `0`     | Pagination offset                              |

## info

Show details for one sandbox (ID, template, state, name, start/end time, metadata).

```bash theme={null}
declaw sandbox info sbx-abc123
```

## kill

Destroy one or more sandboxes.

```bash theme={null}
declaw sandbox kill sbx-abc123
declaw sandbox kill sbx-abc123 sbx-def456   # kill several at once
```

## pause / resume

Pause a running sandbox (freeing compute) and resume it later from where it left off.

```bash theme={null}
declaw sandbox pause sbx-abc123
declaw sandbox resume sbx-abc123
```

## exec

Run a command inside a sandbox. Use `--` to separate the command from CLI flags. Output streams live; the command's exit code is propagated.

```bash theme={null}
declaw sandbox exec sbx-abc123 -- python3 -c "print('hello')"
```

| Flag        | Short | Default | Description                                      |
| ----------- | ----- | ------- | ------------------------------------------------ |
| `--cwd`     |       |         | Working directory for the command                |
| `--user`    |       |         | User to run as                                   |
| `--timeout` |       | `60`    | Command timeout in seconds                       |
| `--env`     | `-e`  |         | Env var `KEY=VALUE` for this command. Repeatable |

With `--json`, output is buffered and printed as `{exit_code, stdout, stderr}`.

## connect

Open an interactive terminal (PTY) into a sandbox, sized to your local terminal and resized on window changes. Disconnect with `Ctrl-D` or `exit`.

```bash theme={null}
declaw sandbox connect sbx-abc123
```

## files

Transfer and list files in a running sandbox.

```bash theme={null}
declaw sandbox files ls sbx-abc123 /workspace
declaw sandbox files read sbx-abc123 /workspace/out.txt --output ./out.txt
declaw sandbox files write sbx-abc123 /workspace/in.csv ./local.csv
```

| Subcommand                                  | Args                     | Notes                                                       |
| ------------------------------------------- | ------------------------ | ----------------------------------------------------------- |
| `files ls <sandbox-id> <path>`              | sandbox + directory      | Lists entries with type and size                            |
| `files read <sandbox-id> <path>`            | sandbox + remote path    | Prints to stdout, or `--output`/`-o` writes to a local file |
| `files write <sandbox-id> <remote> <local>` | sandbox + remote + local | Uploads a local file                                        |

## Next steps

* [Volume commands](/cli/volume) — attach and manage data volumes
* [Vault commands](/cli/vault) — inject secrets without putting them in the VM
* [Security overview](/security/overview) — what the policy flags configure
