Kernel-enforced sandbox for AI coding agents. Wraps GitHub Copilot CLI, OpenCode, Gemini CLI, Antigravity CLI, Pi, or any shell so agents can write code but cannot steal credentials, push to main, merge PRs, or exfiltrate secrets.

• macOS: Apple Seatbelt/SBPL via sandbox-exec
• Linux: Landlock LSM + seccomp-BPF (kernel 5.13+; full network filtering on 6.7+)

AI agents execute arbitrary code. A compromised agent (prompt injection, supply chain attack, malicious MCP server) can read ~/.ssh, push to main, merge PRs, or exfiltrate code — unless the OS itself says no.

cplt provides kernel-level enforcement with team-configurable policy:

• Per-repo policy (.cplt.toml) committed to version control — tamper-proof, auditable
• Deny-by-default for credentials, secrets, and sensitive files
• Command-level git/gh interception (block pushes, merges, releases)
• Outbound network filtering with audit logging
• No Docker, no VMs — single static binary on locked-down laptops
• Zero-config start for developers; escape hatches when needed

• Quick start
• What it blocks
• Install
• Usage
• Configuration
• Security
• Architecture
• Contributing
• References

Detailed docs: Configuration · Proxy & domain filtering · gh command guard · git command guard · Known impacts · Security details

brew install navikt/tap/cplt
cplt --shell-install        # make 'copilot' run sandboxed (persistent)
cplt doctor                 # check your environment
cplt -- -p "fix the tests"  # run Copilot in sandbox

Other agents and sandbox commands:

cplt --agent opencode                       # OpenCode (Copilot subscription)
cplt --agent opencode --pass-env ANTHROPIC_API_KEY  # third-party provider
cplt --agent shell                          # interactive sandboxed shell (no AI)
cplt exec -- npm install                    # sandbox any command directly
cplt exec -c "npm install && npm test"      # compound commands in sandbox
alias npm="cplt exec -- npm"               # sandboxed npm for every invocation

# 1. Generate per-repo policy
cplt init --write

# 2. Developers approve on first run
cplt trust accept --all

# 3. Enable command guards
cplt config set gh_guard.enabled true
cplt config set git_guard.enabled true
cplt config set git_guard.protect_default_branch_only true

The sandbox blocks access to credentials and secrets at the kernel level. Command guards block destructive operations. All restrictions apply to the agent and every process it spawns.

This table is a summary. The sandbox also allows access to system files (SSL certs, /etc/hosts), temp directories (read/write but no exec), and system tool paths (/usr/bin, /opt/homebrew). Run cplt --print-profile to see the complete SBPL rules.

For the full security model, threat analysis, and test strategy, see SECURITY.md.

cplt is not stronger everywhere. Codex CLI has Linux namespace isolation today, and it already exposes explicit sandbox modes such as read-only and workspace-write. cplt does not yet have that mode matrix.

Docker still gives you stronger isolation boundaries in some environments, especially if you want a fully separate filesystem and process namespace. cplt makes a different trade-off: lighter setup and tighter integration with the developer machine you already use.

Tools such as VS Code agent mode rely mainly on UI permissions. cplt enforces restrictions in the kernel, so the agent cannot talk its way around them with a prompt or a modified instruction.

That matters most for CLI agents and credential exposure:

• cplt works outside the IDE
• env vars are filtered before the agent starts
• sensitive files can be blocked even when they live inside the repo
• the same restrictions apply to child processes

Anthropic Sandbox Runtime (srt) is the sandboxing layer used by Claude Code. Same high-level approach — macOS Seatbelt + kernel-level Linux enforcement + HTTP proxy — different implementation.

cplt is more secure out-of-the-box (env filtering, credential protection, DNS rebinding, lifecycle script blocking). srt is more flexible (SOCKS5, TLS inspection, per-request callbacks, library embedding). The Linux backend choice matters: bwrap requires workarounds on Ubuntu 24.04+ (AppArmor userns restrictions); Landlock requires kernel ≥5.13 but has zero external dependencies.

• macOS has the strongest file-level enforcement today; Linux coverage is improving but not identical
• cplt does not yet offer simple read-only / workspace-write / full-access policy presets
• if you want full container isolation, cplt is not trying to replace Docker

brew install navikt/tap/cplt

curl -fsSL https://raw.githubusercontent.com/navikt/cplt/main/install.sh | bash

Options:

# Install a specific version
curl -fsSL ... | bash -s -- --version 2026.05.05-174753-75bae5b

# Install to a custom directory
curl -fsSL ... | bash -s -- --dir ~/.local/bin

# Skip Homebrew (force direct download)
curl -fsSL ... | bash -s -- --no-brew

Download the latest release for your platform from GitHub Releases:

# macOS — Apple Silicon (M1/M2/M3/M4)
curl -fsSL https://github.com/navikt/cplt/releases/latest/download/cplt-aarch64-apple-darwin.tar.gz | tar xz
sudo mv cplt /usr/local/bin/

# macOS — Intel
curl -fsSL https://github.com/navikt/cplt/releases/latest/download/cplt-x86_64-apple-darwin.tar.gz | tar xz
sudo mv cplt /usr/local/bin/

# Linux — x86_64
curl -fsSL https://github.com/navikt/cplt/releases/latest/download/cplt-x86_64-unknown-linux-gnu.tar.gz | tar xz
sudo mv cplt /usr/local/bin/

# Linux — ARM64
curl -fsSL https://github.com/navikt/cplt/releases/latest/download/cplt-aarch64-unknown-linux-gnu.tar.gz | tar xz
sudo mv cplt /usr/local/bin/

Every release binary has build provenance attestation — verify it with:

gh attestation verify cplt -o navikt

git clone https://github.com/navikt/cplt.git && cd cplt
cargo build --release
sudo cp target/release/cplt /usr/local/bin/

Or with mise:

mise run install

Note on PATH: mise run install and manual builds install cplt to /usr/local/bin/cplt. If you also have cplt installed via Homebrew (at /opt/homebrew/bin/cplt), ensure /usr/local/bin comes first in your PATH so the latest development version is used:

# Check which cplt is active
which cplt

# If it shows /opt/homebrew/bin/cplt, reorder your PATH:
export PATH="/usr/local/bin:$PATH"

Alternatively, run /usr/local/bin/cplt explicitly to bypass PATH resolution.

By default, you run the sandboxed version with cplt. To make copilot run the sandboxed version too, use the one-command installer:

cplt --shell-install

This detects your shell, appends the alias to your rc file, and prints what it did. Safe to run multiple times — it won't add duplicates.

After installing, restart your shell or source the file to activate.

# zsh / bash
eval "$(cplt --shell-setup)"

# fish
alias copilot cplt

Why an alias instead of a symlink? Both cplt and Copilot CLI install into the same Homebrew bin directory (/opt/homebrew/bin/). A symlink would conflict — only one file named copilot can exist there. A shell alias avoids this entirely: the real copilot binary stays in PATH (so cplt can find and wrap it), and the alias transparently redirects your command.

Note: cplt has recursion prevention built in. If it detects it's already running inside a sandbox (via the __CPLT_WRAPPED environment variable), it will refuse to launch again. Read-only subcommands like --print-profile and --doctor still work inside an existing sandbox.

cplt [OPTIONS] [-- <AGENT_ARGS>...]

Everything after -- is passed directly to the agent process (copilot, opencode, gemini, antigravity, pi, or shell).

The project directory is the primary writable workspace, plus a narrow allowlist required for auth, runtime, and tooling (see capability table above). Everything else (SSH keys, cloud credentials, etc.) is blocked by the kernel.

By default, cplt sanitizes the child environment — only safe variables pass through. Cloud credentials, database URLs, and package tokens are stripped. Additionally, security hardening variables are injected to block npm/yarn/pnpm lifecycle scripts (postinstall hooks) — the #1 supply chain attack vector — disable git commit/tag signing (since ~/.ssh and ~/.gnupg are inaccessible inside the sandbox), and opt out of developer tooling telemetry (DO_NOT_TRACK=1, NEXT_TELEMETRY_DISABLED=1, TURBO_TELEMETRY_DISABLED=1, CHECKPOINT_DISABLE=1, etc.).

What passes through:

Prefix allowlist with secret-suffix protection: Variables matching allowed prefixes (e.g. COPILOT_*, YARN_*) are passed through unless they end with a secret-bearing suffix: _TOKEN, _AUTH, _SECRET, _SECRET_KEY, _KEY, _PASSWORD, or _CREDENTIALS. For example, COPILOT_DEBUG passes through but COPILOT_API_KEY is blocked.

Always blocked: AWS_*, AZURE_*, NPM_TOKEN, DATABASE_URL, VAULT_TOKEN, SSH_AUTH_SOCK, Docker vars, CI tokens, and anything not in the allowlist.

cplt auto-discovers installed tools and configures sandbox rules accordingly. In general, only directories that exist on disk get rules (no phantom paths), but on macOS writable app directories are also included when discovered even if they do not exist yet. This allows for creation on first use. On Linux it is not possible to allow write to a non-existent path, so creation must happen outside the sandbox.

To see which tools cplt detected, run cplt doctor.

The proxy is enabled by default — all outbound traffic (Copilot CLI, gh, curl) is routed through a localhost CONNECT proxy via HTTP_PROXY/HTTPS_PROXY and NODE_USE_ENV_PROXY=1. The proxy listens on an OS-assigned ephemeral port, so there are no port conflicts.

What the proxy gives you:

• Connection logging — see every domain Copilot connects to in real time
• Domain blocking — block known exfiltration infrastructure (paste sites, webhook services, etc.)
• Domain allowlisting — restrict connections to only known-safe domains
• Audit log — persistent file log of all connections for post-session review
• Port enforcement — the proxy enforces the same port restrictions as the sandbox (443 + extra ports via allow.ports)

Disable for a single run:

cplt --no-proxy -- -p "fix the tests"

Disable permanently:

cplt config set proxy.enabled false

Add connection filtering (recommended):

cplt config set proxy.blocked_domains "~/.config/cplt/blocked-domains.txt"
# or restrict to known-safe domains only:
cplt config set proxy.allowed_domains "~/.config/cplt/allowed-domains.txt"
# optional audit log:
cplt config set proxy.log_file "~/.config/cplt/proxy.log"

Domain matching: both blocklist and allowlist use the same rules — example.com matches the exact domain and all subdomains (sub.example.com, deep.sub.example.com). Matching is case-insensitive. Trailing dots are stripped.

Localhost traffic (MCP servers, dev servers) bypasses the proxy via NO_PROXY and will not appear in the audit log.

Quiet mode (-q / sandbox.quiet = true) suppresses the startup banner. Proxy stderr output is controlled separately by --proxy-log-level (default: none — silent). Use --proxy-log to capture all connections to a file.

These flags are translated into the agent's native session flags for convenience — no -- separator needed.

--continue and --resume are also mapped for OpenCode and Antigravity:

¹ OpenCode and Antigravity have no interactive session picker, so a bare --resume maps to "continue last session". Auto-resume (injecting a session flag when invoked with no args) applies only to Copilot and Gemini.

You can combine these with cplt sandbox flags and -- pass-through args:

cplt --resume=my-task                          # resume by name
cplt --remote --name my-task -- -p "fix tests" # remote + named + prompt

cplt can sandbox OpenCode in addition to GitHub Copilot CLI. OpenCode is officially supported as a GitHub Copilot client — use your existing Copilot subscription with /connect inside OpenCode.

# Run OpenCode with Copilot subscription (no API key needed)
cplt --agent opencode

# Auto-detect: if only opencode is in PATH, cplt uses it automatically
cplt

# Or use a third-party provider
cplt --agent opencode --pass-env ANTHROPIC_API_KEY

Security notes for OpenCode:

• Copilot provider: auth is handled via /connect device flow, stored in ~/.local/share/opencode/auth.json — no env vars needed
• Third-party providers: API keys (ANTHROPIC_API_KEY, OPENAI_API_KEY, etc.) are not passed through by default — use --pass-env:

cplt --agent opencode --pass-env ANTHROPIC_API_KEY
cplt --agent opencode --pass-env OPENAI_API_KEY --pass-env OPENAI_ORG_ID

• OpenCode config (~/.config/opencode/) is read-only in the sandbox
• OpenCode data (~/.local/share/opencode/) is writable but execution is denied (write+exec prevention)
• Keychain access is disabled (OpenCode uses its own auth file, not macOS Keychain)
• --continue and --resume[=ID] are mapped to OpenCode's --continue / --session ID; --remote and --name are ignored

cplt can sandbox Google Gemini CLI. Gemini uses Google OAuth (browser flow) by default, or an API key.

# Run Gemini CLI
cplt --agent gemini

# With API key instead of OAuth
cplt --agent gemini --pass-env GEMINI_API_KEY

Security notes for Gemini:

• Gemini config/auth (~/.gemini/) is writable in the sandbox
• Keychain access is enabled (used for extension integrity verification)
• OAuth browser flow requires --allow-browser for first-time login
• --resume, --continue, --remote, --name flags are Copilot-specific and ignored for Gemini

cplt can sandbox Antigravity CLI. Use antigravity as the canonical cplt agent name (aliases agy and agi are accepted).

# Run Antigravity CLI
cplt --agent antigravity

# Set Antigravity as your default agent
cplt config set sandbox.agent antigravity

Security notes for Antigravity:

• Antigravity config (~/.gemini/config/) and runtime data (~/.gemini/antigravity-cli/) are writable in the sandbox
• Keychain access is enabled (used by OAuth/keyring-based auth)
• OAuth browser flow requires --allow-browser for first-time login
• --continue and --resume[=ID] are mapped to Antigravity's --continue / --conversation ID; --remote and --name are ignored

cplt can sandbox Pi (@earendil-works/pi-coding-agent). Pi supports multiple LLM providers via API keys.

# Run Pi (must be explicit — not auto-detected due to binary name collision risk)
cplt --agent pi

# Pass your provider API key
cplt --agent pi --pass-env ANTHROPIC_API_KEY

# Set Pi as your default agent
cplt config set sandbox.agent pi

Security notes for Pi:

• Not auto-detected: the pi binary name is too generic and may collide with other tools. Use --agent pi or set sandbox.agent = "pi" in config
• API keys are opt-in: ANTHROPIC_API_KEY, OPENAI_API_KEY, GEMINI_API_KEY, OPENROUTER_API_KEY must be explicitly passed via --pass-env
• Pi config/auth (~/.pi/) is writable in the sandbox
• Pi managed binaries (~/.pi/agent/bin/) have process-exec permission (for bundled fd, rg)
• Keychain access is disabled

Run a plain sandboxed shell — no AI agent, same security restrictions. Useful for testing build tools, debugging sandbox issues, or working in a secure environment manually.

# Interactive sandboxed shell (uses $SHELL — fish, zsh, bash)
cplt --agent shell

# Inspect what's allowed without entering the shell
cplt --agent shell --print-profile

The sandbox applies the same deny-by-default rules — filesystem isolation, network restrictions, env sanitization. Shell config directories (fish variables/history, zsh history) are writable.

Tip: To run a single command non-interactively, use cplt exec — it is cleaner for scripting and shell aliases than cplt --agent shell -- -c 'cmd'.

Run any command inside the sandbox without starting an AI agent. Clean for scripting, piping, and shell aliases — no startup banner, no confirmation prompt.

# Sandbox a single command
cplt exec -- npm install
cplt exec -- make build
cplt exec -- go test ./...

# Compound commands via $SHELL -c
cplt exec -c "npm install && npm test"

# Pass sandbox flags as usual
cplt exec --allow-lifecycle-scripts -- npm install
cplt exec --project-dir /path/to/repo -- make build
cplt exec --with-proxy -- curl https://example.com

# Shell aliases for sandboxed tools
alias npm="cplt exec -- npm"
alias node="cplt exec -- node"
alias python="cplt exec -- python"

All top-level cplt flags apply: --project-dir, --allow-read, --deny-path, --with-proxy, --pass-env, etc.

Use --no-quiet to see the full sandbox configuration summary before the command runs.

# Most common: run Copilot in sandbox
cplt -- -p "fix the tests"

# Resume a previous session
cplt --resume

# Resume a named session
cplt --resume=my-refactor

# Resume the most recent session in this directory
cplt --continue

# Start a named remote session
cplt --remote --name my-task -- -p "fix the tests"

# Check environment before first run
cplt doctor

# Disable proxy for a single run (proxy is on by default)
cplt --no-proxy -- -p "fix the tests"

# Let Copilot read a shared library directory
cplt --allow-read ~/shared-libs -- -p "use shared-libs"

# Allow outbound on extra ports (e.g., external API)
cplt --allow-port 8443 -- -p "test the API"

# Allow localhost for MCP servers or dev servers
cplt --allow-localhost 3000 --allow-localhost 8080 -- -p "use the MCP server"

# Allow all localhost (needed for Next.js/Turbopack, Vite builds)
cplt --allow-localhost-any -- -p "fix the build"

# Non-interactive / CI usage (skip confirmation prompt)
cplt --yes -- -p "fix the tests"

# Block a path you don't want Copilot to see
cplt --deny-path ~/.config/gh -- -p "refactor auth"

# Pass a specific env var through (e.g. custom tool config)
cplt --pass-env MY_CUSTOM_VAR --pass-env ANOTHER_VAR -- -p "run with custom config"

# Inherit full environment (dangerous — only for debugging)
cplt --inherit-env -- -p "debug the build"

# Block paste sites
cplt --blocked-domains ./blocked-domains.txt -- -p "refactor"

# Use an internal MCP server on the corporate network
cplt --allow-private-domain intern.nav.no -- -p "use mcp-onboarding"

# Inspect the generated sandbox profile
cplt --print-profile

# Debug: see what the sandbox blocks in real time
cplt --show-denials -- -p "fix the tests"

# Run OpenCode with Copilot subscription (no API key needed)
cplt --agent opencode

# Run OpenCode with a third-party provider
cplt --agent opencode --pass-env ANTHROPIC_API_KEY

# Run OpenCode with auto-detection (if copilot not in PATH)
cplt --pass-env ANTHROPIC_API_KEY

# Run a sandboxed shell (no AI agent)
cplt --agent shell

# Run a one-off command in the sandbox
cplt exec -- npm test
cplt exec -c "npm install && npm test"

cplt is configured at two levels: global (developer preferences) and per-repo (team policy).

# Set global preferences
cplt config set sandbox.quiet true
cplt config set proxy.blocked_domains "~/.config/cplt/blocked-domains.txt"
cplt config set gh_guard.enabled true
cplt config set git_guard.enabled true

# Set per-repo policy (committed to .cplt.toml)
cplt config set --repo sandbox.allow_jvm_attach true
cplt config set --repo deny.paths "~/secrets"

# Inspect
cplt config show      # show effective config (file + defaults)
cplt config explain   # list all keys with descriptions

Precedence (highest to lowest):

1. CLI flags
2. Global config file (~/.config/cplt/config.toml)
3. Built-in defaults

Per-repo config (.cplt.toml) operates as a separate layer: [deny] tightens unconditionally, and approved permissions are additive only — they can enable features but cannot disable anything set by CLI or global config.

These keys stay in ~/.config/cplt/config.toml and are rejected from .cplt.toml because they are machine-specific or local preferences:

sandbox.agent, sandbox.quiet, sandbox.yes, sandbox.validate, sandbox.scratch_dir, sandbox.pass_env, sandbox.inherit_env, sandbox.allow_cache_exec, sandbox.allow_cache_exec_any, proxy.enabled, proxy.port, proxy.log_file, proxy.log_level, proxy.blocked_domains, proxy.allowed_domains, and all [gh_guard], [git_guard], and [audit] keys

Commit a .cplt.toml to your repository root to enforce team policy:

[deny]                    # Applied automatically — no opt-in needed
paths = ["~/secrets", "~/.vault-token"]
env = ["VAULT_TOKEN", "DATABASE_URL"]

[propose]                 # Requires developer approval (cplt trust accept)
gh_guard = true
git_push_prevention = true
allow_jvm_attach = true
allow_docker = true

[propose.allow]
ports = [5432]
localhost = [3000]

• [deny] — applied automatically (can only tighten, never weaken)
• [propose] — requires approval: cplt trust accept --all
• Read from git HEAD — tamper-proof; content-pinned approvals

Detect your project's tooling and generate a .cplt.toml automatically:

cplt init             # preview detected permissions
cplt init --write     # write .cplt.toml to disk
cplt init --quiet     # output only TOML (pipe-friendly)
cplt init --global    # generate personal ~/.config/cplt/config.toml

Supported ecosystems: JVM (Gradle/Maven), Node.js, Docker, Python, Rust, Go, Playwright, Spring Boot, Ktor, TestContainers, Next.js, Vite, Flyway, Cypress, and environment secrets (.env.example). Dangerous permissions include risk warnings in the generated TOML.

--global detects machine-level tools (Gradle wrapper, Playwright browsers, GPG signing, alternative agents) and generates your personal config.

Use cplt config set --repo to manage without editing TOML by hand:

cplt config set --repo sandbox.allow_jvm_attach true
cplt config set --repo deny.paths "~/secrets"

📖 Full details: docs/configuration.md

┌──────────────────────────────────┐
│  cplt (Rust binary)              │
│  ┌───────────┐  ┌─────────────┐  │
│  │ Policy    │  │ CONNECT     │  │
│  │ Generator │  │ Proxy       │  │
│  └─────┬─────┘  │ (optional)  │  │
│        │        └─────────────┘  │
│        ▼                         │
│  ┌─────────────┬────────────┐    │
│  │   macOS     │   Linux    │    │
│  │  Seatbelt   │  Landlock  │    │
│  │  sandbox-   │  + seccomp │    │
│  │  exec       │  pre_exec  │    │
│  └─────────────┴────────────┘    │
│        │                         │
│        ▼                         │
│  copilot (sandboxed)             │
│  ├── All child processes         │
│  ├── Cannot read ~/.ssh          │
│  ├── Network port-restricted     │
│  ├── SSH agent blocked           │
│  └── Filesystem = primary ctrl   │
└──────────────────────────────────┘

Security model: deny-by-default filesystem with kernel enforcement. On macOS and Linux with kernel 6.7+ (Landlock ABI v4), network is restricted to port 443 (HTTPS) by default (use --allow-port for extras). On older Linux kernels, network restriction is provided by the CONNECT proxy (enabled by default). SSH agent access and localhost outbound are blocked at the kernel level (macOS) or via the proxy (Linux). The profile generator auto-discovers your environment (--doctor) and only includes tool directories that actually exist on disk — fewer rules means a tighter sandbox.

Platform-specific details:

• macOS: Seatbelt/SBPL profile generated and passed to sandbox-exec
• Linux: Landlock LSM rules + seccomp-BPF filter applied via pre_exec (kernel 5.13+, TCP port filtering on 6.7+)

See SECURITY.md for the full threat model, defense layers, and honest gaps.

Single static binary. Minimal dependencies. No runtime services, no telemetry. Three defense layers with clear security boundaries:

What cplt protects against:

• Secret exfiltration (SSH keys, cloud creds, .env files) — kernel-blocked
• Unauthorized code execution from temp dirs — kernel-blocked
• Persistence via git hooks / cache dir binaries — kernel-blocked
• Data exfiltration to unauthorized domains — proxy-blocked
• Accidental pushes to main / PR merges without review — guard-blocked

What cplt does NOT protect against:

• Malicious code within the project directory (agent has full read/write)
• Logic bugs introduced by the agent (code review still needed)
• Bypass of command guard by a sophisticated adversary (use server-side branch protection)
• Network attacks on allowed domains (if github.com is allowed, agent can read/write there)
• macOS Keychain access (needed for Copilot auth — contents are password-protected)

Our priorities, in order:

1. Correct — every claim is tested, every edge case has a CVE or research reference
2. Transparent — read SECURITY.md, it hides nothing
3. Simple — single static binary, zero config required, sane defaults
4. Useful — get out of the way and let the agent do its job, safely

📖 Full details: docs/security.md · SECURITY.md

The sandbox blocks some workflows by design. Common issues and fixes:

📖 Full details with tables and troubleshooting: docs/known-impacts.md

The proxy is on by default — logs and filters all outbound connections. Features:

• Connection logging — see every domain the agent connects to
• Domain blocking — block exfiltration infrastructure (paste sites, webhooks)
• Domain allowlisting — restrict to known-safe domains only
• Audit log — persistent file log for post-session review

cplt --no-proxy -- -p "fix tests"                    # disable for one run
cplt --blocked-domains blocked-domains.txt -- -p "x"  # block known-bad domains
cplt --allowed-domains allowed-domains.txt -- -p "x"  # allowlist mode

📖 Full details: docs/proxy.md

When enabled, cplt intercepts gh and git commands via wrapper scripts in $PATH:

This is a soft barrier (Layer 3) — prevents compliant agents from accidental destructive operations. For hard boundaries, rely on kernel sandbox + server-side branch protection.

📖 Full details: docs/gh-guard.md · docs/git-guard.md

npm/yarn/pnpm lifecycle scripts are blocked by default via npm_config_ignore_scripts=true and YARN_ENABLE_SCRIPTS=false. This prevents supply chain attacks through postinstall hooks, but may break packages that require post-install steps:

Fix:

cplt config set sandbox.allow_lifecycle_scripts true

Or for a single run: cplt --allow-lifecycle-scripts

Tools that compile-then-execute from $TMPDIR are blocked by default because the sandbox denies process-exec and file-map-executable from /private/tmp and /private/var/folders. This affects:

Fix: The scratch dir is now on by default — cplt creates ~/Library/Caches/cplt/tmp/{session-id}/ with rwx permissions, redirects TMPDIR, TMP, TEMP, and GOTMPDIR there, and cleans up on exit. Stale directories older than 24 hours are garbage-collected on startup.

JVM note: On macOS, the JVM ignores TMPDIR — it reads java.io.tmpdir from confstr(_CS_DARWIN_USER_TEMP_DIR) which always returns /var/folders/.... cplt automatically injects -Djava.io.tmpdir=<scratch> -Djansi.tmpdir=<scratch> -Djava.rmi.server.hostname=localhost -Djava.net.preferIPv4Stack=true via JAVA_TOOL_OPTIONS so that Maven Surefire forks, the Kotlin compiler daemon, and Jansi native lib extraction all use the scratch dir. The RMI hostname flag ensures the Kotlin daemon's Java RMI communication stays on localhost. The preferIPv4Stack flag forces pure IPv4 sockets so that the sandbox's localhost filtering works correctly for Java (without it, Java's dual-stack IPv6 sockets produce IPv4-mapped addresses that SBPL can't match). Override with --pass-env JAVA_TOOL_OPTIONS if you need custom JVM flags. For inline mocking (MockK, Mockito, ByteBuddy), also add --allow-jvm-attach — see JVM Attach API.

Gradle 9+ nested sandbox: Starting with Gradle 8.8, the Gradle daemon runs inside its own macOS sandbox via sandbox-exec (controlled by GRADLE_MACOS_SANDBOX env var, previously org.gradle.daemon.sandbox property). This conflicts with cplt's sandbox because macOS does not support nested sandbox-exec calls — the inner sandbox fails with "Operation not permitted" on socket operations. cplt automatically injects GRADLE_MACOS_SANDBOX=off to disable Gradle's redundant sandbox (cplt already provides kernel-level sandboxing). This is a known upstream issue affecting any tool that wraps Gradle in an outer sandbox. Override with --pass-env GRADLE_MACOS_SANDBOX if you need Gradle's own sandbox for some reason.

Gradle/JVM still failing? Some JVM native libraries (e.g. libjli.dylib, JNI libs) use dlopen from the system temp dir before JAVA_TOOL_OPTIONS takes effect. If you see "Operation not permitted" during JVM startup itself (not Gradle build), add --allow-tmp-exec:

# Recommended for Gradle projects (localhost + tmp exec + JVM attach):
cplt --allow-localhost-any --allow-tmp-exec --allow-jvm-attach -- -p "run tests"

# Or set permanently:
cplt config set sandbox.allow_localhost_any true
cplt config set sandbox.allow_tmp_exec true
cplt config set sandbox.allow_jvm_attach true

Kotlin daemon on Linux: The Kotlin compiler daemon writes marker files to ~/.local/share/kotlin/daemon/ and communicates via localhost. If you see AccessDeniedException: .../kotlin-daemon-client-tsmarker*.tmp, cplt grants write access to ~/.local/share/kotlin/ automatically. If the daemon still can't connect (falls back to non-daemon compilation with garbled Unicode paths), ensure --allow-localhost-any is set — the daemon uses ephemeral ports:

# Recommended for Kotlin/Gradle on Linux:
cplt config set sandbox.allow_localhost_any true
cplt config set sandbox.allow_jvm_attach true

# If you need additional write paths (e.g. custom Kotlin data dir):
cplt config set allow.write "~/.local/share/kotlin"

If you're still seeing this error, check that you haven't set scratch_dir = false in your config:

cplt config explain sandbox.scratch_dir

Some tools unpack and execute binaries directly from ~/Library/Caches (macOS) / ~/.cache (Linux), which is exec-blocked by default:

Fix:

cplt config set sandbox.allow_cache_exec ms-playwright
cplt config set sandbox.allow_cache_exec pnpm/dlx

Or for a single run: cplt --allow-cache-exec ms-playwright --allow-cache-exec pnpm/dlx

Playwright on Linux: run Chromium with its own sandbox disabled (chromiumSandbox: false in playwright.config, or launch with --no-sandbox). cplt's Landlock + seccomp is the enforcing boundary, and the seccomp filter blocks the unshare/setns syscalls that Chromium's nested namespace sandbox needs. This is the standard way to run Chromium inside another sandbox.

--allow-cache-exec-any opens exec for the entire cache tree (~/Library/Caches on macOS, ~/.cache on Linux) — use only as a last resort.

Localhost outbound is blocked by default, which prevents sandboxed processes from connecting to local services:

Fix: Use --allow-localhost <PORT> for specific services, or --allow-localhost-any for build tools that use random ports (Next.js, Vite, esbuild).

JVM localhost (background): The JVM opens dual-stack IPv6 sockets by default. Without intervention, macOS sees Java's connections to 127.0.0.1 as IPv4-mapped (::ffff:127.0.0.1) which the sandbox can't match with port-level precision. cplt solves this by injecting -Djava.net.preferIPv4Stack=true via JAVA_TOOL_OPTIONS, forcing pure IPv4 sockets so that --allow-localhost <PORT> works for Java. Override with --pass-env JAVA_TOOL_OPTIONS if you need custom JVM flags (and use --allow-localhost-any as fallback).

Docker is intentionally blocked — ~/.docker is denied and the Docker socket is not accessible. This is by design: Docker gives near-root access to the host system, which defeats the purpose of sandboxing.

• Docker commands, docker compose, and Testcontainers will fail
• Local databases via Docker Compose need --allow-localhost <PORT> for the exposed port (the database container runs outside the sandbox)
• Consider running database/Kafka containers before starting cplt, then use --allow-localhost for the ports

Opting in (⚠️ dangerous): If you understand the risks (container mounts bypass the sandbox entirely), you can allow Docker access:

cplt config set sandbox.allow_docker true
# or per-session:
cplt --allow-docker

SSH agent access is blocked (unix socket denied), which means:

• git clone over SSH will fail — use HTTPS clones instead
• ssh commands spawned by the agent will fail
• gh CLI uses HTTPS by default and is unaffected

macOS TCC (Transparency, Consent, and Control) protects certain folders at the kernel level. Without Full Disk Access, Copilot CLI cannot access ~/Desktop or ~/Documents with or without cplt — this is a macOS restriction, not a sandbox limitation. The cplt sandbox remains fully active regardless of FDA status.

Fix: Grant Full Disk Access to your terminal (recommended):

1. Open System Settings → Privacy & Security → Full Disk Access
2. Enable your terminal app (Terminal.app, iTerm2, Ghostty, etc.)
3. Restart the terminal — TCC grants only take effect for new processes

This lifts TCC restrictions for all child processes while the cplt sandbox continues to enforce its own deny-by-default rules (write protection, network filtering, dotfile access, etc.).

Alternatives (if you prefer not to grant FDA):

1. Copy files into your project:

   cp ~/Desktop/screenshot.png .

2. Use a non-protected folder for screenshots:

   defaults write com.apple.screencapture location ~/Screenshots
   mkdir -p ~/Screenshots

   Then add to config:

   [sandbox]
   allow_read = ["~/Screenshots"]

Git commit and push work out of the box over HTTPS — no extra flags needed.

Prerequisites:

1. Use HTTPS remotes (not SSH). Check with git remote -v:

   # If you see git@github.com:org/repo.git, switch to HTTPS:
   git remote set-url origin https://github.com/org/repo.git

   Or rewrite globally for all repos (no remote changes needed):

   git config --global url."https://github.com/".insteadOf "git@github.com:"

   This makes git transparently use HTTPS even when remotes are configured as SSH. The rewrite is read from ~/.gitconfig which is readable inside the sandbox.
2. Authenticate with gh — cplt serves the token to Copilot at startup:

   gh auth login   # one-time setup outside the sandbox

   When gh guard is enabled, cplt caches the token at launch and serves it once to Copilot via gh auth token — then deletes the cache. Subprocesses cannot retrieve the token afterward.
3. Configure git credential helper (if not already set by gh auth setup-git):

   gh auth setup-git   # sets credential.helper to use gh

That's it. The agent can now git add, git commit, git push, create branches, and fetch — all inside the sandbox.

Optional: signed commits — add --allow-gpg-signing (see GPG signing).

Why is SSH blocked? The SSH agent socket gives access to all loaded keys, which could authenticate to any host. HTTPS with gh credential helper is scoped to GitHub only. See SSH agent blocking.

Tip: Protect your main branch with branch protection rules to prevent the agent from pushing directly to main or force-pushing. This is good practice regardless of cplt.

Certain git operations are blocked to prevent persistence attacks that survive the sandbox session:

Global git hooks: If core.hooksPath is set in ~/.gitconfig, cplt auto-detects the hooks directory and allows reading it so git operations succeed. Write access is explicitly denied to prevent persistence attacks. The hooks path must be under $HOME with at least 3 path components (e.g. ~/.config/git/hooks) to prevent overly broad read access.

Commit signing: ~/.ssh and ~/.gnupg are blocked, so GPG/SSH signing would fail. Instead of opening private key directories, cplt injects GIT_CONFIG_COUNT/GIT_CONFIG_KEY_N/GIT_CONFIG_VALUE_N env vars to disable commit.gpgsign and tag.gpgsign inside the sandbox. Commits made by Copilot are unsigned — this is expected since users typically re-sign on merge/squash. Use --allow-gpg-signing to override this (see GPG signing).

GPG commit/tag signing is disabled by default because ~/.gnupg is blocked. Copilot commits are unsigned — you re-sign on merge/squash.

If you want Copilot commits to be signed (e.g. branch protection requires signatures):

cplt config set sandbox.allow_gpg_signing true

Or for a single run: cplt --allow-gpg-signing

Setup checklist:

Before using this flag, verify GPG signing works outside the sandbox:

# 1. Check your signing key is configured
git config --get user.signingkey          # should show your key ID

# 2. Check gpg-agent is running
gpg-connect-agent 'GETINFO version' /bye  # should print version + OK

# 3. Cache your passphrase (so signing doesn't hang)
echo "test" | gpg --clearsign > /dev/null  # triggers passphrase prompt

# 4. Verify git signing works
git commit --allow-empty -S -m "test signed commit"
git log --show-signature -1               # should show "Good signature"
git reset HEAD~1                          # undo the test commit

If all of that works, cplt --allow-gpg-signing will work too. The gpg-agent runs outside the sandbox, so pinentry prompts appear normally — the sandbox only needs to reach the agent socket.

Note: Signature verification (git log --show-signature) won't work inside the sandbox because GPG opens trustdb.gpg for writing during verification. This is harmless — signing works correctly, and signatures can be verified outside the sandbox or in CI.

Troubleshooting:

What this does:

Security notes:

• Private keys are NOT exposed. GPG agent holds keys in memory — the Assuan IPC protocol has no command to export private key material. The private-keys-v1.d/ directory remains denied even with this flag.
• Risk: signature impersonation and decryption. A compromised process with agent socket access can request signatures on arbitrary data (adding a "Verified" badge) and, if an encryption subkey exists, decrypt arbitrary ciphertext. This is the same level of impersonation Copilot already has for unsigned commits — signing just adds the badge.
• GPG-only. This flag does not enable SSH signing (gpg.format=ssh). SSH keys and SSH_AUTH_SOCK remain blocked.
• --deny-path wins. If you specify --deny-path ~/.gnupg alongside --allow-gpg-signing, the deny takes precedence — all GPG allows are suppressed.
• GNUPGHOME is not supported yet — only the default ~/.gnupg location is allowed.

JVM testing frameworks like MockK (inline mocking), Mockito (inline agents), and ByteBuddy use the JVM Attach API for runtime class instrumentation. This API creates a Unix domain socket at /tmp/.java_pid<PID> — which the sandbox blocks by default.

Enable it with --allow-jvm-attach:

cplt --allow-jvm-attach -- -p "run the tests"

Or permanently in config:

cplt config set sandbox.allow_jvm_attach true

When to enable:

• Kotlin/Java projects using MockK with mockk() or mockkStatic() inline mocking
• Projects using Mockito with Mockito.mock() on final classes (requires ByteBuddy agent)
• Any test suite that gets "Could not self-attach to current VM using external process" errors
• JMX monitoring tools that attach to running JVMs

How it works: The JVM creates a socket at /tmp/.java_pid<PID> (hardcoded path, not affected by java.io.tmpdir). A helper JVM process connects to this socket to load an instrumentation agent. The sandbox rule uses a regex pattern that only allows sockets matching .java_pid<PID> — all other Unix sockets in /tmp (including SSH agent, tmux, PostgreSQL) remain blocked.

Security note: This opens a narrow IPC channel for .java_pid*-named sockets only. SSH agent access (SSH_AUTH_SOCK) is NOT exposed — on macOS it lives at /private/tmp/com.apple.launchd.*/Listeners which does not match the pattern.

Only port 443 is allowed by default. Services on other ports need --allow-port:

• npm install from private registries on non-standard ports
• API calls to services not on 443
• FTP, SMTP, or other protocol connections

Registry credential files are blocked by default because they typically contain passwords or tokens that a rogue agent could exfiltrate:

For Maven, Gradle, and Cargo files, you can override this with --allow-read:

Fix:

cplt config set allow.read "~/.m2/settings.xml"
cplt config set allow.read "~/.gradle/gradle.properties"

Or for a single run: cplt --allow-read ~/.m2/settings.xml

Note: .npmrc cannot be overridden — it is in the hard-deny list alongside .netrc and .pypirc. If you need npm private registry access, consider using project-level .npmrc (which is readable as part of the project directory) with a token injected via environment variable.

Linux limitation: These file-level denials are only enforced on macOS (via SBPL literal deny rules). On Linux, Landlock cannot deny individual files within an allowed directory — the parent dirs (.m2, .gradle, .cargo) remain fully readable for dependency resolution.

• sandbox-exec is deprecated — Apple has not removed it but may in future macOS versions
• SBPL has no domain-based filtering — the optional CONNECT proxy provides domain blocking

• Kernel 5.13+ required — Landlock LSM must be enabled
• TCP port filtering requires kernel 6.7+ — older kernels get filesystem-only enforcement
• Landlock cannot deny subpaths within allowed paths — .env read/write/delete and .git/hooks writes inside the project dir are not kernel-enforced
• --deny-path has no effect — Landlock is allowlist-only

📖 Full details: docs/security.md

Contributions are welcome! To get started:

git clone https://github.com/navikt/cplt.git && cd cplt
git config core.hooksPath hack    # enables pre-commit fmt + clippy checks
mise run check                    # runs fmt, clippy, and tests

Please open an issue before starting large changes. All PRs must pass CI (fmt, clippy, tests).

• SECURITY.md — Full security model, threat analysis, test strategy, and prior art
• Apple sandbox-exec(1)
• Chromium Seatbelt V2 Design
• Landlock LSM documentation
• seccomp-BPF documentation
• OWASP SSRF Prevention Cheat Sheet
• michaelneale/agent-seatbelt-sandbox

MIT