Every bash tool call is wrapped in a bubblewrap sub-sandbox where the entire filesystem is mounted read-only. Unlike regex-based command filtering, writes are blocked at the filesystem level, from any language runtime.
Features
- Filesystem-level enforcement — uses Linux mount namespaces, not pattern matching
- Per-agent configuration — set
bash-readonly: truein agent frontmatter - Lockable —
bash-readonly-locked: truedisables the toggle command - User commands sandboxed too —
!and!!TUI commands are also read-only when active