Sandbox capabilities
Bernato wraps macOS agent spawns in a kernel-enforced Seatbelt sandbox by default. Linux supports opt-in bwrap when available; Windows has limited Job Object containment without filesystem/network isolation. This is a feature page — for the deep dive, see Sandboxing Claude Code on macOS.
The default policy
workspace_rw— read+write inside the chosen workspace folderread_anywhere— explicit broad filesystem read grantnetwork— outbound networksubprocess— fork/exec child processes
That's the right policy 95% of the time. The agent can read your code, hit the internet, run git / npm / cargo, but cannot write outside the workspace.
Per-agent grants
For the cases that need more: edit ~/.bernato_capabilities.json from the tray. Each grant is a match block (agent name pattern, source, command) plus a list of capabilities to add. AND within a grant, OR across grants.
Capability tokens
workspace_rw · read_anywhere · network · subprocess · screen_capture · accessibility · full_disk_access · read:<path> · write:<path> · exec:<path> · privileged
Audit log
Every spawn, every grant, every kernel block decision goes into the local activity log. Hourly verification. View it via the dashboard's Activity panel (live SSE stream).
Master switch
"Sandbox: ON / OFF" in the tray menu — for the rare unrestricted run. The toggle event is itself audited.
Linux & Windows
macOS uses Seatbelt with the capability mapping described above. Linux and Windows containment are on the roadmap; until that lands, treat the sandbox guarantee as macOS-only.
FAQ
Is the sandbox on by default?
Yes — for new installs. Existing users who explicitly turned it off keep their setting.
Can I disable it for one agent only?
Yes — grant privileged in a per-agent rule. The audit log records every spawn that ran without sandbox.