seal.toml
seal.toml declares everything the agent is allowed to do in a project: which files it can read or write, which commands it can run, which network hosts those commands can reach, which sandbox envelope wraps every spawned child, and which LLM provider drives the loop.
For a worked real-world example, see the seal project’s own seal.toml — it covers layered grants on git / cargo / gh / just / jj, the default_files × paths filesystem shape, and additional_directories usage.
Top-level keys
Section titled “Top-level keys”These keys live at the root of seal.toml — not inside any [bracket] section.
schema_version
Section titled “schema_version”Sections
Section titled “Sections”Each [bracket] table gets its own page:
| Section | Page |
|---|---|
[model] | model — LLM provider, model name, max_tokens, thinking, effort. |
[capabilities] | capabilities — Allow / deny rules for filesystem reads + writes, commands, and network egress. |
[sandbox] | sandbox.os — OS-isolation envelope — filesystem visibility, mask-secrets, tool bundles. |
[command_run] | command_run — Per-command timeouts, output bounds, project env-loading flags. |
[security] | security — Shell-feature toggles: redirects, pipes, subshells, runtime expansion. |
[limits] | limits — Numeric caps: file_read sizes, grep results, max turns. |
[compact] | compact — Context-compaction trigger thresholds and microcompact policy. |
[tasks] | tasks — Stale-task-reminder cadence for the agent’s task list. |
[attribution] | attribution — Opt out of the default-on Co-Authored-By: seal commit trailer. |