Skip to content

Fix sandbox documentation to match implementation #50

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
yiwang merged 2 commits into from
Feb 19, 2026
Merged

Fix sandbox documentation to match implementation #50

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8cbecb1
Initial plan
Copilot Feb 19, 2026
c2ef741
Fix sandbox documentation inconsistencies
Copilot Feb 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,7 +174,7 @@ Every shell command the agent runs is executed inside an OS-level sandbox:
| **macOS** | Seatbelt (SBPL) | Filesystem allow-listing, network denial |
| **All** | rlimits | 120s timeout, 1MB output cap, 50MB file size, 64 process limit |

The sandbox denies access to sensitive directories (`~/.ssh`, `~/.aws`, `~/.gnupg`, `~/.docker`) and blocks all network syscalls by default. Configure extra paths as needed:
The sandbox denies access to sensitive directories including `~/.ssh`, `~/.aws`, `~/.gnupg`, `~/.docker`, `~/.kube`, and credential files (`~/.npmrc`, `~/.pypirc`, `~/.netrc`). It blocks all network syscalls by default. Configure extra paths as needed:

```toml
[sandbox]
Expand Down
37 changes: 37 additions & 0 deletions config.example.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,43 @@ bind = "127.0.0.1"
# enabled = true
# api_token = "${TELEGRAM_BOT_TOKEN}"

# Sandbox configuration for shell command isolation
# Every tool-executed shell command runs in a kernel-enforced sandbox
[sandbox]
# Enable sandbox (default: true)
enabled = true

# Sandbox enforcement level (default: "auto")
# Options:
# - "auto" — Use highest available level for your platform
# - "full" — Landlock V4+ + seccomp + userns (Linux only)
# - "standard" — Landlock V1+ + seccomp (Linux) or Seatbelt (macOS)
# - "minimal" — seccomp network blocking only (Linux)
# - "none" — rlimits only, no filesystem or network isolation
level = "auto"

# Command timeout (default: 120 seconds)
timeout_secs = 120

# Maximum stdout+stderr bytes (default: 1MB = 1048576)
max_output_bytes = 1048576

# Maximum file size via RLIMIT_FSIZE (default: 50MB = 52428800)
max_file_size_bytes = 52428800

# Maximum child processes via RLIMIT_NPROC (default: 64)
max_processes = 64

# Network policy (default: "deny")
# Options: "deny" (block all network) or "proxy" (future: allow via socket)
[sandbox.network]
policy = "deny"

# Additional filesystem access beyond workspace and system directories
# [sandbox.allow_paths]
# read = ["/opt/data", "/mnt/shared"]
# write = ["/tmp/scratch"]

[security]
# LocalGPT injects a security block at the end of every LLM context window.
# The block has two independent layers:
Expand Down