mrtoth/agent-sandbox
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8010e9102ea25bba5245dfa8ffdf49469c6c696d
agent-sandbox/README.md
Kristóf Tóth 8010e9102e Allow disabling boolean flags from the CLI 
Pair --hardened, --dry-run, and --unshare-net (renamed from --no-net)
with negation counterparts so a CLI invocation can override a truthy
config-file or profile value.
2026-04-08 00:22:50 +02:00

46 lines
2.1 KiB
Markdown
Raw Blame History

# agent-sandbox
Sandbox agentic coding assistants with [bubblewrap](https://github.com/containers/bubblewrap). Limits what an AI agent can see and modify on the host, reducing the blast radius of prompt injection and accidental damage.
## Modes
### Whitelist
Tight sandbox for normal agent coding tasks. Only explicitly listed paths are visible — system binaries, libraries, a subset of `/etc`, `/sys` (all read-only), synthetic `/dev`, private `/proc`, `/tmp`, `/run`, and the working directory (read-write). Everything else is invisible.
### Blacklist
Looser sandbox for system-level debugging with agent assistance. The host filesystem is mounted read-only, with targeted overlays hiding sensitive paths (credentials, history, secrets, sockets, input devices). `/run` and `${XDG_RUNTIME_DIR}` are replaced with tmpfs mounts that only expose the paths needed for system tooling (`systemctl`, `resolvectl`, `journalctl`, etc.).
The threat model is prompt injection and accidental damage, not a determined attacker with user-level access.
**Not protected in blacklist mode:** arbitrary readable files outside the sensitive paths list, and D-Bus method calls (access control is daemon-side).
## Configuration file
Settings can be stored in a TOML config file at `$XDG_CONFIG_HOME/agent-sandbox/config.toml` (or pass `--config <path>`). Use `--no-config` to skip loading it. The config file accepts the same options as the corresponding CLI flags.
Top-level keys set defaults; `[profile.<name>]` sections define named presets selectable with `--profile <name>`. CLI flags always take highest precedence, followed by the active profile, then top-level defaults.
```toml
# Global defaults
whitelist = true
unshare-net = true
ro = ["~/.aws"]
# Named profile
[profile.docker]
blacklist = true
rw = ["/var/run/docker.sock"]
command = ["claude", "--dangerously-skip-permissions"]
```
## Escape hatches
When the agent needs access to something the sandbox blocks, use `--rw` or `--ro`:
```bash
agent-sandbox --rw /var/run/docker.sock -- claude --dangerously-skip-permissions
agent-sandbox --ro ~/.aws -- claude --dangerously-skip-permissions
```
Reference in New Issue View Git Blame Copy Permalink