Sandboxing

Every shell and build call runs inside a sandbox by default — not as an opt-in, not as an afterthought. An approved bash call still can't read your SSH keys.

How it works

Linux: commands run inside bwrap (Bubblewrap).
macOS: commands run inside sandbox-exec.
Windows: runs unsandboxed — no first-class equivalent yet.

What's reachable

Inside the sandbox:

Read-write: the workspace directory.
Read-only: system libraries (so builds work).
Reachable: the network.
Read-only / blocked: ~/.ssh, /etc, and other projects.

✦TipThe practical upshot: even if you approve a shell command in the autonomous Write profile, it can't cat ~/.ssh/id_rsa or tamper with other projects on the machine.

Concrete example

An approved build command sees the workspace and system libs, but secrets stay out of reach:

# inside the sandbox
$ cmake --build build -j     # works — workspace + system libs reachable
$ cat ~/.ssh/id_rsa          # blocked — home dir not mounted writable/readable

⚠WarningSandboxing reduces blast radius; it is not a substitute for review. Treat network access inside the sandbox as real — a command can still exfiltrate workspace contents if you approve it.

← PreviousTool Overview Next →Workspace Boundary

✎ Edit this page on GitHub