Sandbox
Swarmie sandbox config lives under [sandbox] in config.toml (crates/core/src/config/toml_types.rs) and is resolved into SandboxConfig (crates/core/src/config/types.rs).
Config Shape
[sandbox]
allowed_paths = ["src/**", "docs/**"]
denied_paths = ["src/secrets/**", ".git/**"]
allowed_domains = ["api.example.com", "*.internal.local"]
blocked_domains = ["tracker.example.com"]
linux_landlock = true
macos_seatbelt = true
macos_seatbelt_profile = "/path/to/swarmie.sb"| Field | Type | Description |
|---|---|---|
allowed_paths | array(string) | Glob-like path patterns allowed for filesystem access. |
denied_paths | array(string) | Explicit deny patterns applied on top of allow rules. |
allowed_domains | array(string) | Domain allowlist for web tool outbound requests. |
blocked_domains | array(string) | Domain denylist that overrides allowlist matches. |
linux_landlock | bool | Enable Linux bash OS sandbox flag wiring (best effort). |
macos_seatbelt | bool | Enable macOS Seatbelt wrapper for bash. |
macos_seatbelt_profile | string | Seatbelt profile file path passed to sandbox-exec -f. |
What It Enforces Today
Filesystem sandbox checks are applied in tool execution (crates/core/src/turn/tool_execution.rs) and file mention resolution (crates/core/src/mention.rs):
- Read/write targets from tools like
Read,Write,Edit,Patch,Glob, andGrepare validated. @filemention expansion is validated before file content is injected into prompt context.
Denied access returns user-visible errors such as Filesystem sandbox denied ....
Rule Semantics
- If
[sandbox]is absent: policy defaults to working-directory scope. - If
[sandbox]exists butallowed_pathsis empty: policy still falls back to working-directory scope. - Invalid path patterns are ignored with warnings.
Network Enforcement
Domain policy is enforced in crates/core/src/turn/tool_execution.rs before web tools run:
web_fetch: checks the request URL domain.web_search: checks the Brave API domain used by the tool transport.
Blocked domains are evaluated before allowed domains.
OS Enforcement Notes
linux_landlockis a best-effort runtime flag and degrades gracefully when OS setup is unavailable.macos_seatbeltuses/usr/bin/sandbox-execwithmacos_seatbelt_profilewhen available.