Docker Isolation

Run agents inside Docker containers for full sandboxing. Agents get their own filesystem, network, and process space — they can't touch your host system.

Why Docker?

Security — Agents can't access your host filesystem or credentials
Reproducibility — Consistent environments across agents and machines
Isolation — Port conflicts and dependency clashes are impossible
Cleanup — Containers are disposable — no leftover state

Running Agents in Docker

# Start work in a Docker container
$ prlt work start TKT-001 --environment docker

# Or spawn multiple in Docker
$ prlt work spawn --all --environment docker

Note

Docker must be installed and the daemon must be running. Check with prlt docker status.

Container Management

# List all agent containers
$ prlt docker list

  bezos    running    TKT-001    2h 15m
  musk     running    TKT-003    45m
  gates    stopped    —          —

# Start / stop / restart containers
$ prlt docker start bezos
$ prlt docker stop bezos
$ prlt docker restart bezos

# Open a shell in a container
$ prlt docker shell bezos

# View container logs
$ prlt docker logs bezos

Devcontainers

If your project has a .devcontainer config, agents can use it for a fully configured development environment:

# Use the project's devcontainer config
$ prlt work start TKT-001 --environment devcontainer

Cleanup

# Remove orphaned containers (agents that are no longer tracked)
$ prlt docker clean

# Prune unused Docker resources (images, volumes, networks)
$ prlt docker prune

# Sync container status from Docker daemon
$ prlt docker sync

Warning

prlt docker prune removes unused images and volumes. Make sure no important data is in unnamed volumes before running.

GitHub Authentication in Docker

Docker agents need a GitHub token to push branches and create PRs:

# Set up GH_TOKEN for Docker containers
$ prlt gh token

Getting Started

Core Concepts

Features

CLI Reference