Security
filesystem sandbox
path jail, symlink detection, and job objects
autonomy levels
| level | description |
|---|---|
readonly | observe only, no shell, no writes |
supervised | act within allowlists (default) |
full | autonomous within workspace sandbox |
workspace scoping
workspace_only = true by default. this means:
- all file operations confined to workspace directory
- absolute paths rejected
- path traversal (
../../../etc/passwd) blocked - symlink escape detection via canonical path verification
- null byte injection blocked
blocked directories
14 system directories always blocked: /etc, /root, /home, /usr, /bin, /sbin, /lib, /opt, /boot, /dev, /proc, /sys, /var, /tmp
4 sensitive dotfile paths always blocked: ~/.ssh, ~/.gnupg, ~/.aws, ~/.config
command allowlisting
only approved commands can execute. default list: git, npm, cargo, ls, cat, grep, find, echo, pwd, wc, head, tail
blocked patterns:
- subshell operators (backticks,
$(,${) - output redirections (
>,>>) - command chaining (
&&,||,;,|) validated per-segment - env var prefix bypass (
FOO=bar rm -rf /)
windows job objects
on windows, shell commands run inside a Job Object with:
KILL_ON_JOB_CLOSE— child processes die when parent exits- 256MB memory limit
- no child process spawning
- UI restrictions