Every bash tool call is wrapped in a bubblewrap sub-sandbox where the entire filesystem is mounted read-only. Unlike regex-based command filtering, writes are blocked at the filesystem level, from any language runtime.
Features
- Filesystem-level enforcement โ uses Linux mount namespaces, not pattern matching
- Per-agent configuration โ set
bash-readonly: truein agent frontmatter - Lockable โ
bash-readonly-locked: truedisables the toggle command - User commands sandboxed too โ
!and!!TUI commands are also read-only when active