ArgentOSDocs

Sandboxing

Control what your agent can do with sandboxing modes and tool policies.

Overview

Sandboxing controls the agent's ability to interact with your system. It determines which tools are available, which operations need approval, and what actions are blocked entirely.

Sandbox Modes

Unrestricted

{ "security": { "mode": "unrestricted" } }
  • All tools available
  • No approval required
  • Suitable for: trusted personal environments, development

Sandboxed (Default)

{ "security": { "mode": "sandboxed" } }
  • All tools available
  • Dangerous operations require user approval
  • Commands matching blocked patterns are rejected
  • Suitable for: most personal and team deployments

Locked

{ "security": { "mode": "locked" } }
  • Only safe tools (memory, tasks, doc_panel)
  • No command execution
  • No browser automation
  • Suitable for: customer-facing agents, public deployments

Tool Policies

Fine-grained policies override the global sandbox mode for individual tools:

{
  "toolPolicies": {
    "exec": {
      "mode": "approval-required",
      "blockedPatterns": [
        "rm -rf",
        "sudo",
        "chmod 777",
        "mkfs",
        "> /dev/"
      ],
      "allowedPaths": [
        "/Users/sem/projects/",
        "/tmp/"
      ]
    },
    "browser": {
      "mode": "allowed",
      "blockedDomains": [
        "banking.example.com",
        "*.internal.company.com"
      ]
    },
    "memory_store": {
      "mode": "allowed"
    },
    "memory_recall": {
      "mode": "allowed"
    }
  }
}

Blocked Patterns

The blockedPatterns array uses substring matching against the command string. If any pattern matches, the command is rejected without asking for approval.

Common patterns to block:

PatternReason
rm -rf /Prevents recursive deletion of root
sudoPrevents privilege escalation
chmod 777Prevents world-writable permissions
mkfsPrevents filesystem formatting
> /dev/Prevents writing to device files
`` :(){ ::& };: ``

Approval Flow

When an operation requires approval:

In the Dashboard

A modal appears with the command or action details. The user clicks "Approve" or "Reject."

In Channels

The agent sends the command details and waits for a response like "yes" or "approved."

Timeout

If no approval is received within a configurable timeout (default: 5 minutes), the operation is rejected automatically.

Path Restrictions

The allowedPaths array restricts where the exec tool can operate:

{
  "exec": {
    "allowedPaths": ["/Users/sem/projects/", "/tmp/"]
  }
}

Commands that attempt to access paths outside the allowed list are blocked.

Testing Your Sandbox

# Verify current security mode
argent config get security.mode

# Test a command against policies
argent security test "rm -rf /tmp/old-files"

Security Overview

How ArgentOS protects your system — sandboxing, authentication, and secret management.

Authentication

API keys, setup tokens, auth profiles, and gateway authentication.

On this page

OverviewSandbox ModesUnrestrictedSandboxed (Default)LockedTool PoliciesBlocked PatternsApproval FlowIn the DashboardIn ChannelsTimeoutPath RestrictionsTesting Your Sandbox