docs(sandboxes): add agent field to audit log schema

Audit records now include an `agent` field identifying which AI agent drove the sandbox (claude, codex, etc.), so multi-agent deployments can attribute policy decisions per agent. Added to the example record and the field reference table. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-19 07:35:16 +00:00 · 2026-06-11 13:52:55 +02:00
parent 568de235c9
commit a5fd2021c7
1 changed files with 3 additions and 1 deletions
@@ -63,7 +63,8 @@ A network evaluation record looks like this:
    "no applicable policies for op(action=net:connect:tcp, resource=net:domain:example.com:443)"
  ],
  "action_type": "network_egress",
-  "network_egress": { "protocol": "tcp" }
+  "network_egress": { "protocol": "tcp" },
+  "agent": "claude"
 }
 ```

@@ -83,6 +84,7 @@ Common fields include:
 | `resource_id`      | The target of the evaluation, such as a host and port.                                                       |
 | `decision`         | `AUDIT_DECISION_ALLOW` or `AUDIT_DECISION_DENY`.                                                             |
 | `deny_reason`      | Why a denied request was blocked. Present on deny decisions.                                                 |
+| `agent`            | The AI agent driving the sandbox (for example, `claude`, `codex`). Omitted when the agent is unknown.       |

 Each record is attributed to the signed-in Docker user and the organization
 whose governance policy is in effect.