[sandbox.os]
Sub-pages
Section titled “Sub-pages”| Sub-section | Page |
|---|---|
[sandbox.os.command_tools] | sandbox.os.command_tools — Curated per-tool config bundles (git, gh, cargo, bun, node, …). |
command_fs
Section titled “command_fs”How much of the host filesystem is visible inside the command_run sandbox before manifest-declared fs_read / fs_write / additional_directories entries layer on top.
Four modes, least-permissive first:
None— nothing bound by default. Only paths the manifest explicitly names are visible. The strictest posture; tools that depend on/usr/binetc. will fail to start unless those paths are added explicitly.System(default) — system paths bound read-only:/usr,/bin,/sbin,/lib,/lib64,/etc,/nixif present.$HOMEis not bound; the manifest names what’s needed (~/.cargo/registry, etc.). Carve-outs for/etc/ssh/,/etc/shadow, etc. are masked whencommand_mask_secrets = true.Permissive—Systembaseline plus$HOMEbound read-only. Carve-outs extend to~/.ssh/,~/.aws/, etc. whencommand_mask_secrets = true. The “I want config files but not secrets” posture.All—--ro-bind / /at the bwrap level: the entire host filesystem is visible read-only. Even in this mode,command_mask_secrets = true(the default) masks the standard sensitive-file paths. Opt-in for tools that need broad host visibility.
| Value | Meaning |
|---|---|
"none" | Nothing bound by default. |
"system" | System paths only; $HOME not bound. Default. |
"permissive" | System paths + $HOME read-only. |
"all" | Entire filesystem read-only. |
command_mask_secrets
Section titled “command_mask_secrets”Apply the standard sensitive-file masklist (see SYSTEM_DENY_PATHS + HOME_DENY_PATHS constants) on top of whichever baseline is selected. Default true; the masks always apply unless explicitly disabled.
network
Section titled “network”Sub-section of [sandbox.os] that authorizes (a) which ports the agent may expose from inside the sandbox to the host’s loopback via command_run’s dev_server_ports parameter (inbound), and (b) which host loopback ports the agent may reach via host_localhost_ports (outbound). Bare-u16 entries silently allow; { port = N, prompt = true } forces a runtime prompt. Each side’s deny list takes precedence over its allow list.
dev_server_ports
Section titled “dev_server_ports”Bare-u16 or table entry for one allow-list port. Shared by dev_server_ports and host_localhost_ports since both use the same TOML shape; the resolved-config types are distinct so the direction is type-checked at use sites.
Variant 1
Section titled “Variant 1”Shorthand: 3000.
Table form
Section titled “Table form”Explicit: { port = 3000, prompt = true }.
prompt
Section titled “prompt”dev_server_ports_deny
Section titled “dev_server_ports_deny”host_localhost_ports
Section titled “host_localhost_ports”Bare-u16 or table entry for one allow-list port. Shared by dev_server_ports and host_localhost_ports since both use the same TOML shape; the resolved-config types are distinct so the direction is type-checked at use sites.
Variant 1
Section titled “Variant 1”Shorthand: 3000.
Table form
Section titled “Table form”Explicit: { port = 3000, prompt = true }.
prompt
Section titled “prompt”host_localhost_ports_deny
Section titled “host_localhost_ports_deny”wrappers
Section titled “wrappers”Section-wide list of wrapper-command prefixes that every enabled bundle in command_tools also applies to. Useful when a build orchestrator (just, make, mise, etc.) spawns the real tool as a child inside the same bwrap namespace — without this, the child inherits the parent’s NetworkParams::None because the orchestrator’s matched_pattern doesn’t match any bundle’s command_prefixes. The section default unions with each entry’s wrappers = [...] override; both add to (never replace) the bundle’s command_prefixes. Empty (the default) preserves the original bundle-applies-by- command-prefix behaviour.