Tech

Sandbox capabilities

Akshay Sarode

Bernato wraps macOS agent spawns in a kernel-enforced Seatbelt sandbox by default. Linux supports opt-in bwrap when available; Windows has limited Job Object containment without filesystem/network isolation. This is a feature page — for the deep dive, see Sandboxing Claude Code on macOS.

The default policy

That's the right policy 95% of the time. The agent can read your code, hit the internet, run git / npm / cargo, but cannot write outside the workspace.

Per-agent grants

For the cases that need more: edit ~/.bernato_capabilities.json from the tray. Each grant is a match block (agent name pattern, source, command) plus a list of capabilities to add. AND within a grant, OR across grants.

Capability tokens

workspace_rw · read_anywhere · network · subprocess · screen_capture · accessibility · full_disk_access · read:<path> · write:<path> · exec:<path> · privileged

Audit log

Every spawn, every grant, every kernel block decision goes into the local activity log. Hourly verification. View it via the dashboard's Activity panel (live SSE stream).

Master switch

"Sandbox: ON / OFF" in the tray menu — for the rare unrestricted run. The toggle event is itself audited.

Linux & Windows

macOS uses Seatbelt with the capability mapping described above. Linux and Windows containment are on the roadmap; until that lands, treat the sandbox guarantee as macOS-only.

FAQ

Is the sandbox on by default?

Yes — for new installs. Existing users who explicitly turned it off keep their setting.

Can I disable it for one agent only?

Yes — grant privileged in a per-agent rule. The audit log records every spawn that ran without sandbox.