[docker/cli] Run Dev Containers inside Docker Sandboxes for AI coding agent workflows

### ROOT CAUSE The issue arises from the need to combine the isolation benefits of Docker Sandboxes with the development environment capabilities of Dev Containers. The current challenge is that Dev Containers typically require access to the host's Docker daemon, which can introduce security risks by exposing host resources. Docker Sandboxes provide isolation but lack the Dev Container infrastructure. The core problem is the absence of a mechanism to run a Dev Container within a Sandbox while maintaining the necessary environment and security. ### CODE FIX To address this, we can extend the Docker CLI to support running a Dev Container inside a Sandbox. Here's a technical solution: 1. **Add a new command `docker sandbox dev`**: - This command would initialize a Sandbox with a Dev Container configuration. - It would parse a `devcontainer.json` or similar configuration file to set up the container environment. 2. **Modify the Sandbox runtime**: - Integrate Dev Container features (e.g., multi-user workspaces, shared volumes) into the Sandbox. - Ensure the Sandbox isolates the Dev Container from the host, including restricting access to sensitive resources. 3. **Security Enhancements**: - By default, disable the Docker socket inside the Sandbox to prevent Dev Containers from accessing the host's Docker daemon. - Allow explicit socket access via flags (e.g., `--expose-socket`) for advanced use cases, but warn users of the risks. 4. **Implementation Snippet**: ```go // In the Docker CLI codebase, add a new command handler for "sandbox dev" func (c *cli) RunDevContainer(sandboxID string) error { // Validate the Dev Container configuration config, err := parseDevContainerConfig(".devcontainer/devcontainer.json") if err != nil { return err } // Start the Sandbox with Dev Container settings sandbox, err := c.sandboxClient.Get(sandboxID) if err != nil { return err } // Configure the Sandbox to use the Dev Container image sandbox.Image = config.DevImage sandbox.Env = append(sandbox.Env, config.Env...) // Apply security defaults (disable Docker socket access) sandbox.Security.DockerSocket = false // Start the Sandbox return c.sandboxClient.Start(sandbox) } ``` 5. **User Workflow**: - Developers define their Dev Container configuration in a `.devcontainer/devcontainer.json`. - They run `docker sandbox dev` to launch an isolated environment with the specified Dev Container. This fix enhances Docker's CLI to seamlessly integrate Dev Containers into Sandboxes, providing a secure and efficient workflow for AI agent development.