#357 code_executor: Use Docker sandbox with auto-detection

## Issue code_executor.py and shell_command.py run untrusted code without sandboxing. ## Sandbox Image `python:3.12-bookworm` - includes Python + Debian tools (bash, curl, wget, git, etc.) If jq is needed, tests should use Python's json module instead. ## Detection Logic (Revised) ```python def _can_use_docker_sandbox() -> bool: """Check if Docker socket is accessible.""" docker_socket = '/var/run/docker.sock' if os.path.exists(docker_socket): try: import docker client = docker.from_env() client.ping() return True except: return False return False def _is_running_in_docker() -> bool: """Check if inside a Docker container.""" if os.path.exists('/.dockerenv'): return True try: with open('/proc/1/cgroup', 'r') as f: return 'docker' in f.read() or 'lxc' in f.read() except: return False ``` ## Decision Flow 1. Docker socket accessible? → Use sandbox container (python:3.12-bookworm) 2. No socket + inside Docker? → Execute directly (already sandboxed) 3. No socket + not in Docker? → Execute directly + LOG WARNING (unsandboxed) ## Docker-in-Docker Behavior - Worker in Docker WITH socket mount → Creates sibling containers on host ✓ - Worker in Docker WITHOUT socket → Executes directly (container is sandbox) ✓ ## Tools to Sandbox - `code_executor.py` (tools.code.exec) - arbitrary Python code - `shell_command.py` (tools.shell.run) - arbitrary shell commands ## Config (config.ini) ```ini [sandbox] enabled = true image = python:3.12-bookworm network = none # or bridge for network access timeout = 300 ``` ## Security Settings for Container - `cap_drop=["ALL"]` - `security_opt=["no-new-privileges:true"]` - `network_mode="none"` (default, configurable) - `read_only=true` for filesystem - `mem_limit="512m"` (configurable) - Non-root user inside container