NVIDIA · drew · Jun 5, 2026 · Jun 5, 2026 · Jun 5, 2026 · Jun 8, 2026
@@ -40,6 +40,15 @@ template resource limits. Docker and Podman apply them as runtime limits.
 Kubernetes mirrors each limit into the matching request. VM accepts the fields
 but currently ignores them.
 
+Docker and Podman also accept per-sandbox driver-config mounts for existing
+runtime-managed named volumes and tmpfs mounts. Podman additionally accepts
+image mounts through its image-volume API. User-supplied host bind mounts are
+available only when explicitly enabled in the active local driver table of
+`gateway.toml`. Host bind mounts are an unsafe operator override because they
+place gateway-host filesystem state inside the sandbox and can negate OpenShell
+workspace isolation and filesystem-policy controls. Driver-owned supervisor,
+token, and TLS bind mounts stay reserved.
+
 Kubernetes deployments may set an AppArmor profile on sandbox agent containers
 through the driver configuration. The Helm chart defaults sandbox agents to
 `Unconfined` so runtime/default AppArmor profiles do not block supervisor

@@ -21,6 +21,7 @@ tracing = { workspace = true }
 bytes = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
+prost-types = { workspace = true }
 bollard = { version = "0.20" }
 tar = "0.4"
 tempfile = "3"

@@ -36,6 +36,42 @@ contract:
 
 The agent child process does not retain these supervisor privileges.
 
+## Driver Config Mounts
+
+The gateway forwards the `docker` block from `--driver-config-json` to this
+driver. The driver accepts user-supplied `mounts` entries with these Docker
+mount types:
+
+- `bind`: mounts an absolute host path when `[openshell.drivers.docker]`
+  has `enable_bind_mounts = true`.
+- `volume`: mounts an existing Docker named volume. The driver validates that
+  the volume exists before provisioning and never creates or removes it.
+- `tmpfs`: mounts an in-memory filesystem with optional `options`,
+  `size_bytes`, and `mode`.
+
+Host bind mounts are disabled by default because they expose gateway host
+paths to sandbox requests. They are an unsafe operator override: mounting
+gateway-host paths into sandboxes can negate OpenShell workspace isolation and
+filesystem-policy controls. Enable them only for trusted local workflows where
+you understand and accept that loss of isolation. Image mounts are not part of
+the Docker driver-config schema. The driver still uses internal bind mounts
+for OpenShell-owned supervisor, token, and TLS material.
+
+Docker `bind` mounts accept `source`, `target`, and optional `read_only`.
+Docker `volume` mounts may include `subpath`. Mount targets must be absolute
+container paths and must not replace the workspace root (`/sandbox`) or overlap
+OpenShell supervisor files, auth material, TLS material, or `/run/netns`.
+
+Example named-volume usage:
+
+```shell
+docker volume create openshell-work
+
+openshell sandbox create \
+  --driver-config-json '{"docker":{"mounts":[{"type":"volume","source":"openshell-work","target":"/sandbox/work"}]}}' \
+  -- claude
+```
+
 ## Supervisor Binary Resolution
 
 The Docker driver bind-mounts a host-side Linux `openshell-sandbox` binary into