feat: generate unique Docker network subnets per worktree

- Add NETWORK_SUBNET and DNS_PROXY_IP environment variables to docker-compose.base.yaml
- Generate deterministic /24 subnets based on MD5 hash of directory name
- Use directory name (not config.name) to ensure each worktree gets unique subnet
- Fixes "Pool overlaps with other one on this address space" error when running multiple worktrees

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: alexsteeel

src/ai_sbx/commands/init.py

@@ -1399,10 +1399,20 @@ def project_setup_impl(
     env_file = path / ".devcontainer" / ".env"
     if not env_file.exists():
         env_file.parent.mkdir(parents=True, exist_ok=True)
+
+        # Generate unique subnet for this worktree to avoid network conflicts
+        from ai_sbx.templates import generate_unique_subnet
+
+        subnet, dns_ip = generate_unique_subnet(path.name)
+
         env_content = f"""# Project environment variables
 PROJECT_NAME={path.name}
 PROJECT_DIR={path}
 COMPOSE_PROJECT_NAME={path.name}
+
+# Network configuration (unique per worktree to avoid conflicts)
+NETWORK_SUBNET={subnet}
+DNS_PROXY_IP={dns_ip}
 """
         env_file.write_text(env_content)
         console.print("[green]✓[/green] Created .env file")

src/ai_sbx/docker-compose.base.yaml

@@ -51,7 +51,7 @@ services:
     restart: unless-stopped
     networks:
       ai-sbx-internal:
-        ipv4_address: 172.28.0.53  # Static IP for DNS (port 53 reference)
+        ipv4_address: ${DNS_PROXY_IP:-172.28.0.53}  # Static IP for DNS (port 53 reference)
       ai-sbx-external:
 
   # Main proxy for devcontainer - supports upstream proxy
@@ -77,7 +77,7 @@ services:
     # Use internal DNS proxy for name resolution
     # This allows DNS to work while keeping container on internal network only
     dns:
-      - 172.28.0.53
+      - ${DNS_PROXY_IP:-172.28.0.53}
     environment:
       <<: *devcontainer-proxy-env
       # Project-specific environment
@@ -158,7 +158,7 @@ networks:
     internal: true  # Critical: blocks direct internet access
     ipam:
       config:
-        - subnet: 172.28.0.0/16
+        - subnet: ${NETWORK_SUBNET:-172.28.0.0/16}
   ai-sbx-external:
     name: ${PROJECT_NAME:-project}-ai-sbx-external
     driver: bridge

src/ai_sbx/templates.py

@@ -1,14 +1,43 @@
 """Template management for AI Agents Sandbox."""
 
+import hashlib
 from pathlib import Path
-from typing import Optional
+from typing import Optional, Tuple
 
 from jinja2 import Environment, FileSystemLoader, Template
 
 from ai_sbx.config import BaseImage, ProjectConfig, get_default_whitelist_domains
 from ai_sbx.utils import logger
 
 
+def generate_unique_subnet(project_name: str) -> Tuple[str, str]:
+    """Generate a unique subnet and DNS IP based on project name.
+
+    Uses a hash of the project name to generate a deterministic subnet
+    in the 172.16-31.x.0/24 range to avoid conflicts with other worktrees.
+
+    Args:
+        project_name: The project name to hash
+
+    Returns:
+        Tuple of (subnet, dns_ip) e.g. ("172.18.42.0/24", "172.18.42.53")
+    """
+    # Create a hash of the project name
+    hash_bytes = hashlib.md5(project_name.encode()).digest()
+
+    # Use first two bytes for second and third octet
+    # Second octet: 16-31 (16 values) to stay in private 172.16.0.0/12 range
+    second_octet = 16 + (hash_bytes[0] % 16)
+    # Third octet: 0-255
+    third_octet = hash_bytes[1]
+
+    # Total unique subnets: 16 * 256 = 4096 different /24 subnets
+    subnet = f"172.{second_octet}.{third_octet}.0/24"
+    dns_ip = f"172.{second_octet}.{third_octet}.53"
+
+    return subnet, dns_ip
+
+
 def get_docker_image_name(base_image: BaseImage) -> str:
     """Map base image type to actual Docker image name."""
     mapping = {
@@ -295,13 +324,26 @@ def _generate_dockerfile(self, config: ProjectConfig) -> str:
 
     def _generate_env_file(self, config: ProjectConfig) -> str:
         """Generate .env file content with only Docker runtime variables."""
+        # Use directory name (not config.name) for unique identification
+        # This ensures each worktree gets unique network settings
+        # even though they share the same ai-sbx.yaml with same config.name
+        dir_name = config.path.name
+
+        # Generate unique subnet for this project/worktree to avoid network conflicts
+        subnet, dns_ip = generate_unique_subnet(dir_name)
+
         template = """# Docker Compose Runtime Configuration
 # This file is auto-generated from ai-sbx.yaml
 # To modify settings, edit ai-sbx.yaml and run 'ai-sbx init update'
 
 # Required for Docker Compose
 PROJECT_DIR={{ config.path }}
-COMPOSE_PROJECT_NAME={{ config.name }}
+PROJECT_NAME={{ dir_name }}
+COMPOSE_PROJECT_NAME={{ dir_name }}
+
+# Network configuration (unique per project/worktree to avoid conflicts)
+NETWORK_SUBNET={{ subnet }}
+DNS_PROXY_IP={{ dns_ip }}
 
 # Docker image version
 IMAGE_TAG={{ config.docker.image_tag }}
@@ -330,7 +372,7 @@ def _generate_env_file(self, config: ProjectConfig) -> str:
 {{ key }}={{ value }}
 {% endfor -%}
 """
-        return Template(template).render(config=config)
+        return Template(template).render(config=config, dir_name=dir_name, subnet=subnet, dns_ip=dns_ip)
 
     def _generate_whitelist(self, config: ProjectConfig) -> str:
         """Generate whitelist.txt content."""