docs: add volumes, sandbox annotation, and AI sandbox documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: rubenfiszel

changelog/2026-02-26-volumes-sandbox-annotation-claude-sandbox/index.md

@@ -0,0 +1,16 @@
+---
+slug: volumes-sandbox-annotation-ai-sandbox
+title: Volumes, sandbox annotation, and AI sandbox
+tags: ['Script editor', 'Enterprise', 'Security']
+description: Persistent volumes for scripts via code annotations, per-script sandbox annotation for Python and TypeScript, and AI sandbox for running coding agents with isolation and persistent state.
+features:
+  - 'Volumes: persistent file storage attached to scripts via comment annotations, synced to workspace object storage.'
+  - 'Dynamic volume names with $workspace and $args[...] interpolation.'
+  - 'Per-worker LRU volume cache (10 GB) with exclusive leasing for concurrency safety.'
+  - 'Per-script sandbox annotation (#sandbox / //sandbox) now supported for Python and TypeScript in addition to Bash.'
+  - 'AI sandbox: sandboxing + volumes pattern for running AI coding agents (Claude Code, Codex, OpenCode) with persistent state.'
+  - 'Built-in Claude Code template using the Claude Agent SDK with volume-backed session persistence.'
+  - 'Volumes UI in the Assets page for browsing, exploring, and deleting volumes.'
+  - 'Community Edition volume limits: max 20 volumes per workspace, 50 MB per file.'
+docs: /docs/core_concepts/ai_sandbox
+---

docs/advanced/security_isolation/index.mdx

@@ -287,20 +287,37 @@ When `job_isolation` is set to `nsjail_sandboxing` but the NSJAIL binary is not
 
 All language executors (Python, TypeScript/Bun, Deno, Go, Bash, Rust, C#, Java, Ansible, PHP, Ruby) respect this setting through a centralized `is_sandboxing_enabled()` check.
 
-### Per-script `#sandbox` bash annotation
+### Per-script sandbox annotation {#sandbox-annotation}
 
-For bash scripts, you can enable sandboxing on a per-script basis using the `#sandbox` annotation:
+You can enable nsjail sandboxing on a per-script basis using the `sandbox` annotation. This works for Python, TypeScript (Bun and Deno), and Bash scripts. When present, the script runs inside an nsjail sandbox even if sandboxing is not enabled globally.
+
+The script will fail with a clear error if nsjail is not available on the worker.
 
 ```bash
 #sandbox
 
 echo "This script runs inside an NSJAIL sandbox"
 ```
 
-When a bash script includes the `#sandbox` annotation, it will be executed inside an NSJAIL sandbox even if neither `job_isolation` nor `DISABLE_NSJAIL` enables sandboxing globally. The script will fail with an error if the NSJAIL binary is not available on the worker.
+```python
+# sandbox
+
+def main():
+    return "sandboxed Python"
+```
+
+```ts
+// sandbox
+
+export async function main() {
+  return "sandboxed TypeScript";
+}
+```
 
 The annotation is logged as "sandbox mode (nsjail)" in job execution logs.
 
+The `sandbox` annotation can be combined with [volume annotations](../../core_concepts/56_volumes/index.mdx) to run scripts with persistent file storage inside a sandbox.
+
 ## Recommended configurations
 
 ### PID namespace isolation (recommended for production)

docs/core_concepts/38_object_storage_in_windmill/index.mdx

@@ -16,6 +16,8 @@ Additionally, for [instance integration](#instance-object-storage), the Enterpri
 
 ![Object storage in Windmill](./object_storage_in_windmill.png 'Object storage in Windmill')
 
+Workspace object storage is also used as the backend for [volumes](../56_volumes/index.mdx), which provide persistent file storage for scripts.
+
 ## Workspace object storage
 
 Connect your Windmill workspace to your S3 bucket, Azure Blob storage, or GCS bucket to enable users to read and write from S3 without having to have access to the credentials. When you reference S3 objects in your code, Windmill automatically tracks these data flows through the [Assets](../52_assets/index.mdx) feature for better pipeline visibility.

docs/core_concepts/52_assets/index.mdx

@@ -8,6 +8,7 @@ Assets are designed to track data flows and visualize data sets, automatically d
 
 - [S3 objects](../38_object_storage_in_windmill/index.mdx#workspace-object-storage) : s3://storage/path/to/file.csv
 - [Resources](../3_resources_and_types/index.mdx) : res://path/to/resource
+- [Volumes](../56_volumes/index.mdx) : volume://name
 
 ![Assets in script editor](./assets_in_script_editor.png 'Assets in script editor')
 

docs/core_concepts/56_volumes/index.mdx

@@ -0,0 +1,182 @@
+---
+description: How do I use volumes in Windmill to persist files across job runs?
+---
+
+import DocCard from '@site/src/components/DocCard';
+
+# Volumes
+
+Volumes provide persistent file storage that can be attached to [scripts](../../getting_started/0_scripts_quickstart/index.mdx) via code annotations. Files written to a volume during a job run are synced back to [object storage](../38_object_storage_in_windmill/index.mdx) and restored on the next run, enabling stateful workflows like caching, model storage, or agent memory.
+
+Volumes are an [Enterprise](/pricing) feature. On the Community Edition, volumes are limited to 20 volumes per workspace and 50 MB per file.
+
+## Setup
+
+Volumes require two things to be configured in your workspace:
+
+1. A [workspace object storage](../38_object_storage_in_windmill/index.mdx#workspace-object-storage) (S3, Azure Blob, GCS, or filesystem).
+2. A **volume storage** selection in the workspace settings under **Storage > Volume storage**. This can be set to the primary storage or any configured secondary storage. If volume storage is not selected, scripts with volume annotations will fail with an error.
+
+Volume data is stored under the `volumes/<workspace_id>/<volume_name>/` prefix in the selected storage.
+
+## Declaring volumes
+
+Volumes are declared with comment annotations at the top of your script. The syntax is:
+
+```
+<comment_prefix> volume: <name> <mount_path>
+```
+
+Where:
+- `<name>` is the volume identifier. Must be 2–255 characters, start and end with an alphanumeric character, and contain only `a-z`, `A-Z`, `0-9`, `.`, `_`, or `-`.
+- `<mount_path>` is the path where the volume will be available during execution. With [nsjail sandboxing](../../advanced/security_isolation/index.mdx), this can be an absolute path (restricted to `/tmp/`, `/mnt/`, `/opt/`, `/home/`, `/data/` prefixes) or a relative path. Without sandboxing, only relative paths are supported (e.g. `.claude`, `data/models`) — they are resolved relative to the job's working directory via a symlink.
+
+A script can mount up to 10 volumes. Duplicate volume names or mount paths within the same script are not allowed.
+
+### TypeScript / JavaScript
+
+```ts
+// volume: mydata data
+export async function main() {
+  // Read and write files in ./data (relative to job working directory)
+  const fs = await import("fs");
+  fs.writeFileSync("data/result.json", JSON.stringify({ ok: true }));
+}
+```
+
+### Python
+
+```python
+# volume: mydata data
+def main():
+    with open("data/result.json", "w") as f:
+        f.write('{"ok": true}')
+```
+
+### With sandbox (absolute paths)
+
+When using the [`sandbox` annotation](../../advanced/security_isolation/index.mdx#sandbox-annotation), you can use absolute mount paths:
+
+```ts
+// sandbox
+// volume: mydata /tmp/data
+export async function main() {
+  const fs = await import("fs");
+  fs.writeFileSync("/tmp/data/result.json", JSON.stringify({ ok: true }));
+}
+```
+
+### Multiple volumes
+
+You can mount multiple volumes on the same script (up to 10):
+
+```python
+# sandbox
+# volume: training-data /tmp/data
+# volume: model-weights /tmp/models
+def main():
+    # /tmp/data has your training data
+    # /tmp/models has your model weights
+    pass
+```
+
+## Dynamic volume names
+
+Volume names support interpolation with `$workspace` and `$args[...]` placeholders, resolved at runtime:
+
+| Placeholder | Resolves to |
+|---|---|
+| `$workspace` | Current workspace ID |
+| `$args[param]` | Value of job input `param` |
+| `$args[param.nested]` | Nested value from a JSON input |
+
+For example:
+
+```python
+# volume: $workspace-cache cache
+# volume: data-$args[env] data
+def main(env: str):
+    pass
+```
+
+When called with `env="prod"` in workspace `acme`, mounts volumes `acme-cache` and `data-prod`.
+
+## How it works
+
+1. **Before execution** — Windmill acquires an exclusive lease on the volume, then downloads the volume's files from object storage into a local directory using a per-worker LRU cache (up to 10 GB). Files are compared by size and MD5 hash to skip unchanged files.
+2. **During execution** — The volume directory is bind-mounted (read-write) into the job's [nsjail](../../advanced/security_isolation/index.mdx) sandbox, or symlinked into the job directory when running without sandboxing.
+3. **After execution** — If the volume is writable, changed and new files are synced back to object storage. Deleted files are removed from the remote. Volume metadata (size, file count) is updated. The lease is released.
+
+Symlinks inside a volume are preserved: they are serialized to a metadata file in object storage and restored on download.
+
+### Exclusive leasing
+
+Only one job can use a given volume at a time. Windmill acquires an exclusive lease (60-second TTL, auto-renewed every 10 seconds) on each volume before downloading. If the volume is already leased by another worker, the job waits for the lease to be released.
+
+### Agent workers
+
+Volumes work with [agent workers](../28_agent_workers/index.mdx). Agent workers interact with volumes through an HTTP proxy API on the Windmill server — the same lease, download, sync-back, and permission logic applies.
+
+## Permissions
+
+Volumes support fine-grained permissions through Windmill's standard sharing model. You can share a volume with specific users or groups and set read-only or read-write access.
+
+- **Owner** — the user who created the volume (or whose job first created it). Has full read-write access and can delete the volume.
+- **Read-only** — the job can use the volume but changes are not synced back to object storage after execution.
+- **Read-write** — the job can both read from and write to the volume.
+- **No permission** — if a volume has permissions set and the job's user has no matching entry, the job will fail.
+
+Volumes with no permissions set (empty `extra_perms`) are accessible to all workspace users.
+
+Admins always have full access to all volumes.
+
+Permissions can be managed from the Volumes drawer in the [Assets](../52_assets/index.mdx) page using the share button.
+
+## Managing volumes
+
+### Creating volumes
+
+Volumes can be created in two ways:
+
+- **Automatically** — when a job with a volume annotation runs and the volume doesn't exist yet, it is created with the job's user as owner.
+- **Manually** — from the Volumes drawer in the [Assets](../52_assets/index.mdx) page using the "New volume" button.
+
+### Exploring and deleting
+
+From the Volumes drawer you can:
+
+- View metadata: file count, total size, owner, last used timestamp.
+- Explore files in the volume using the S3 file browser.
+- Share the volume and manage permissions.
+- Delete the volume (owner, users with write permission, or admins). Deleting removes both the database metadata and all files from object storage. A volume that is currently leased by a running job cannot be deleted.
+
+<!-- TODO: add screenshot of the Volumes drawer from the Assets page showing a list of volumes with their metadata -->
+
+## Volumes and sandboxing
+
+Volumes work with both sandboxed ([nsjail](../../advanced/security_isolation/index.mdx)) and non-sandboxed execution, but the mount path behavior differs:
+
+- **With nsjail (sandbox)** — The volume directory is bind-mounted read-write at the declared mount path inside the sandbox. Both absolute (restricted to `/tmp/`, `/mnt/`, `/opt/`, `/home/`, `/data/`) and relative paths work. Relative paths are resolved relative to the nsjail working directory (`/tmp/bun` for Bun/TypeScript, `/tmp/deno` for Deno, `/tmp` for Python and others).
+- **Without nsjail** — Only relative mount paths are supported. Windmill creates a symlink from the job directory to the volume's local directory.
+
+You can combine volumes with the [`sandbox` annotation](../../advanced/security_isolation/index.mdx#sandbox-annotation) to enable per-script sandboxing, which is required if you need absolute mount paths:
+
+```ts
+// sandbox
+// volume: agent-memory .claude
+export async function main() {
+  // Sandboxed execution with persistent .claude directory
+}
+```
+
+<DocCard
+  title="AI sandbox"
+  description="Run AI coding agents with sandboxing and persistent volumes"
+  href="/docs/core_concepts/ai_sandbox"
+/>
+
+<DocCard
+  title="Security and process isolation"
+  description="Sandbox annotation and nsjail configuration"
+  href="/docs/advanced/security_isolation"
+/>