Document firewall Docker socket restrictions

.github/aw/actions-lock.json

@@ -47,8 +47,8 @@
     },
     "actions/github-script@v7.0.1": {
       "repo": "actions/github-script",
-      "version": "v7.1.0",
-      "sha": "f28e40c7f34bde8b3046d885e986cb6290c5673b"
+      "version": "v7.0.1",
+      "sha": "60a0d83039c74a4aee543508d2ffcb1c3799cdea"
     },
     "actions/github-script@v8.0.0": {
       "repo": "actions/github-script",

docs/src/content/docs/reference/frontmatter-full.md

@@ -868,8 +868,8 @@ sandbox:
     # (optional)
     type: "awf"
 
-    # Custom command to replace the default AWF or SRT installation. For AWF: 'docker
-    # run my-custom-awf-image'. For SRT: 'docker run my-custom-srt-wrapper'
+    # Custom command to replace the default AWF or SRT installation. For AWF:
+    # '/usr/local/bin/custom-awf-wrapper'. For SRT: '/usr/local/bin/custom-srt-wrapper'
     # (optional)
     command: "example-value"
 
@@ -886,7 +886,8 @@ sandbox:
 
     # Container mounts to add when using AWF. Each mount is specified using Docker
     # mount syntax: 'source:destination:mode' where mode can be 'ro' (read-only) or
-    # 'rw' (read-write). Example: '/host/path:/container/path:ro'
+    # 'rw' (read-write). Example: '/host/path:/container/path:ro'. Docker socket
+    # mounts such as '/var/run/docker.sock' are not supported.
     # (optional)
     mounts: []
       # Array of Mount specification in format 'source:destination:mode'
@@ -917,7 +918,7 @@ sandbox:
       ignoreViolations:
         {}
 
-      # Enable weaker nested sandbox mode (recommended: true for Docker access)
+      # Enable weaker nested sandbox mode (use only when required)
       # (optional)
       enableWeakerNestedSandbox: true
 

docs/src/content/docs/reference/sandbox.md

@@ -92,6 +92,13 @@ AWF automatically mounts several paths from the host into the container to enabl
 
 These default mounts ensure the agent has access to essential tools and the repository files. Custom mounts specified via `sandbox.agent.mounts` are added alongside these defaults.
 
+> [!WARNING]
+> Docker socket access is not supported for security
+> reasons. The agent firewall does not mount
+> `/var/run/docker.sock`, and custom mounts cannot add
+> it, preventing agents from spawning Docker
+> containers.
+
 #### Custom AWF Configuration
 
 Use custom commands, arguments, and environment variables to replace the standard AWF installation with a custom setup:
@@ -100,7 +107,7 @@ Use custom commands, arguments, and environment variables to replace the standar
 sandbox:
   agent:
     id: awf
-    command: "docker run --rm my-custom-awf-image"
+    command: "/usr/local/bin/custom-awf-wrapper"
     args:
       - "--custom-logging"
       - "--debug-mode"
@@ -178,7 +185,7 @@ network:
 | `filesystem.denyRead` | `string[]` | Paths denied for read access |
 | `filesystem.denyWrite` | `string[]` | Paths denied for write access |
 | `ignoreViolations` | `object` | Map of command patterns to paths that should ignore violations |
-| `enableWeakerNestedSandbox` | `boolean` | Enable weaker nested sandbox mode (recommended for Docker access) |
+| `enableWeakerNestedSandbox` | `boolean` | Enable weaker nested sandbox mode (use only when required) |
 
 > [!NOTE]
 > Network Configuration
@@ -267,11 +274,11 @@ features:
 sandbox:
   mcp:
     container: "ghcr.io/githubnext/gh-aw-mcpg:latest"
-    args: ["--rm", "-i", "-v", "/var/run/docker.sock:/var/run/docker.sock"]
+    args: ["--rm", "-i"]
     entrypointArgs: ["--routed", "--listen", "0.0.0.0:8000", "--config-stdin"]
     port: 8000
     env:
-      DOCKER_API_VERSION: "1.44"
+      LOG_LEVEL: "info"
 ```
 
 ## Legacy Format