# Merge rules (apply to every layering below): scalars replace, vec fields # append, profiles merge by name. # # Layers, lowest precedence first: globals -> active profile (with its # ancestors folded in) -> CLI flags. `--profile` selects the active profile; # otherwise the top-level `profile` below is used. Profiles can themselves set # `profile = "parent"` to inherit from another profile. # # `extra-config` optionally points to a second file layered on top of this # one. Missing extra-config files are silently skipped; nesting is not # supported. extra-config = "~/.config/agent-sandbox/extra.toml" whitelist = true # blacklist = true # hardened = true # implied by whitelist # unshare-net = true # seccomp = false # default: true # env-filter = false # default: true # dry-run = true # chdir = "~/projects/my-repo" ro = [ "~/dev/agent-config", "/etc/alsa", "/run/user/1000/pulse", "/run/user/1000/pipewire-0", # "/host/path:/sandbox/path", # SRC:DST -> mount host SRC at a different target ] rw = [ "~/.cargo", "~/.rustup", ] # mask = ["~/.ssh"] # hide path with tmpfs/over /dev/null env = [ "XDG_RUNTIME_DIR", # KEY -> pass through from host if set # "DEBUG=", # KEY= -> set to empty string # "DATABASE_URL=dev", # KEY=VALUE -> set explicitly ] # unsetenv = ["SOME_LEAKED_VAR"] # entrypoint = ["claude", "--dangerously-skip-permissions"] # binary + baked-in args # command = ["--model", "opus"] # default trailing args # bwrap-args = ["--tmpfs /opt/scratch"] # raw bwrap escape hatch profile = "claude" [profiles.claude] ro = ["~/.local/share/claude-code"] rw = ["~/.config/claude"] entrypoint = ["claude", "--allowedTools", "Bash(*)", "WebSearch", "WebFetch(*)", "mcp__*"] [profiles.claude-yolo] profile = "claude" entrypoint = ["claude", "--dangerously-skip-permissions"] [profiles.codex] ro = ["~/.local/share/codex-cli"] entrypoint = ["codex", "--dangerously-bypass-approvals-and-sandbox"] [profiles.pi] ro = ["~/.local/share/pi-agent"] rw = ["~/.config/pi"] entrypoint = ["pi"]