Sandbox

​

Default access policies (when sandbox is enabled)

​

Sandbox modes

• per-command (default) — only Droid-initiated shell commands and tool operations are sandboxed.
• whole-process (Linux only) — the entire Droid process is launched inside the OS sandbox, extending isolation to the main process, MCP stdio transports, and subagents.

​

What’s included

• File tools (Read, Edit, Create, LS, Grep, Glob, ApplyPatch) — checkFileAccess() before every operation, enforcing denyRead for reads and allowWrite/denyWrite for writes
• Execute tool — shell commands wrapped in OS sandbox (Seatbelt/bubblewrap) with network routed through SRT’s filtering proxy for domain-level control
• FetchUrl — checkNetworkAccess() against allowedDomains
• MCP tools — fail closed (denied) under an active sandbox. MCP tool behavior is opaque (a server can read/write files, reach the network, etc.) and the protocol exposes no per-tool effect metadata, so MCP tools cannot be mapped to an enforceable sandbox policy and are blocked by the default-deny tool policy below.
• Note — the main Droid process and subagents are not isolated in this mode. Use whole-process mode to isolate them.

• At startup the entire Droid process is re-executed inside the OS sandbox, so the main process, MCP stdio transports, and subagent lifecycles all run within the configured filesystem and network boundaries
• Network requests made directly by the Droid process (not only those from the Execute tool) are filtered against allowedDomains, with interactive domain prompts in TUI mode
• Fails closed — if the secure runtime cannot be established at startup (unsupported platform, missing sandbox support, or a failed isolation check), Droid refuses to start rather than running unsandboxed
• Default access policies, filesystem and network configuration, and allow-always persistence behave the same as per-command mode

• Every registered tool declares sandbox side-effect metadata (filesystem-read, filesystem-write, network, process, external-service, persistent-settings)
• When sandbox is enabled, a tool is allowed only if every declared side effect maps to a sandbox policy handler (file access, network, or per-command Execute). Tools with an unannotated, unknown, or unhandled side effect are denied
• Tools whose effects cannot be enforced locally — such as MCP tools and connectors (external-service) — have no handler and therefore fail closed
• Tool-policy denials are non-promptable: user approval cannot bypass missing policy coverage, and these denials are not configurable via allowWrite/allowedDomains

• Sandbox violations interrupt the agent loop with a TUI prompt, even at Auto (High) autonomy
• Three options: Allow once, Allow always (persists to settings), Deny
• For denyWrite violations: “Remove from deny list” option instead of “Allow always” (removes the entry from denyWrite in settings)
• For denyRead violations: “Remove from deny list” option instead of “Allow always”
• For Execute network violations: real-time domain prompts via SRT’s proxy callback with 60s auto-deny timeout

• Sandbox violations are auto-denied without prompting — no hang, no user interaction required
• The agent receives a denial message and reports it in the output

• File write violations (outside CWD): adds parent directory to sandbox.filesystem.allowWrite in user settings
• denyWrite violations: removes the entry from sandbox.filesystem.denyWrite
• denyRead violations: removes the entry from sandbox.filesystem.denyRead
• Domain violations: adds domain (with wildcard for 3+ part domains, e.g. registry.npmjs.org -> *.npmjs.org) to sandbox.network.allowedDomains
• Changes take effect immediately in the current session

• Org-level denyWrite/denyRead settings cannot be overridden by user “Allow always”
• Violation prompt shows “(organization policy)” when the deny comes from org settings

• SANDBOX status indicator in footer when sandbox is enabled
• “Sandbox Violation” prompt with violation details (path, domain, reason)

​

Settings config

{
  "sandbox": {
    "enabled": true,
    // Isolation scope: "per-command" (default) or "whole-process" (Linux only)
    "mode": "per-command",
    "filesystem": {
      // Additional writable paths beyond CWD (which is always writable)
      "allowWrite": ["/tmp/build-output", "~/.config"],
      // Deny writes to specific subpaths even if parent is in allowWrite
      "denyWrite": ["/tmp/build-output/cache/locks", "~/.config/secrets"],
      // Block reads to specific paths (everything else is readable)
      "denyRead": ["~/.aws/credentials", "~/.ssh/id_rsa"]
    },
    "network": {
      // Only these domains are reachable (*.factory.ai always included)
      "allowedDomains": ["github.com", "*.npmjs.org"]
    }
  }
}

​

Related

• Autonomy Level — approval policy for tool risk.
• Settings — where sandbox.* lives.
• Hierarchical Settings & Org Control — how org policy merges with user settings.
• Security — broader security model for the Droid CLI.