Sandboxing

Overview

Sandboxing controls the agent’s ability to interact with your system. It determines which tools are available, which operations need approval, and what actions are blocked entirely.

Sandbox Modes

Unrestricted
Sandboxed (Default)
Locked

{ "security": { "mode": "unrestricted" } }

All tools available
No approval required
Suitable for: trusted personal environments, development

{ "security": { "mode": "sandboxed" } }

All tools available
Dangerous operations require user approval
Commands matching blocked patterns are rejected
Suitable for: most personal and team deployments

{ "security": { "mode": "locked" } }

Only safe tools (memory, tasks, doc_panel)
No command execution
No browser automation
Suitable for: customer-facing agents, public deployments

Tool Policies

Fine-grained policies override the global sandbox mode for individual tools:

{
  "toolPolicies": {
    "exec": {
      "mode": "approval-required",
      "blockedPatterns": [
        "rm -rf",
        "sudo",
        "chmod 777",
        "mkfs",
        "> /dev/"
      ],
      "allowedPaths": [
        "/Users/sem/projects/",
        "/tmp/"
      ]
    },
    "browser": {
      "mode": "allowed",
      "blockedDomains": [
        "banking.example.com",
        "*.internal.company.com"
      ]
    },
    "memory_store": {
      "mode": "allowed"
    },
    "memory_recall": {
      "mode": "allowed"
    }
  }
}

Blocked Patterns

The blockedPatterns array uses substring matching against the command string. If any pattern matches, the command is rejected without asking for approval. Common patterns to block:

Pattern	Reason
`rm -rf /`	Prevents recursive deletion of root
`sudo`	Prevents privilege escalation
`chmod 777`	Prevents world-writable permissions
`mkfs`	Prevents filesystem formatting
`> /dev/`	Prevents writing to device files
“ :(){ :	:& };: “	Fork bomb

Approval Flow

When an operation requires approval:

In the Dashboard
In Channels

A modal appears with the command or action details. The user clicks “Approve” or “Reject.”

If no approval is received within a configurable timeout (default: 5 minutes), the operation is rejected automatically.

Path Restrictions

The allowedPaths array restricts where the exec tool can operate:

{
  "exec": {
    "allowedPaths": ["/Users/sem/projects/", "/tmp/"]
  }
}

Commands that attempt to access paths outside the allowed list are blocked.

Testing Your Sandbox

# Verify current security mode
argent config get security.mode

# Test a command against policies
argent security test "rm -rf /tmp/old-files"

Web UI

Dashboard

Tasks

Gateway & Ops

Intent & Safety

Security

Overview

Sandbox Modes

Tool Policies

Blocked Patterns

Approval Flow

Path Restrictions

Testing Your Sandbox

Web UI

Dashboard

Tasks

Gateway & Ops

Intent & Safety

Security

​Overview

​Sandbox Modes

​Tool Policies

​Blocked Patterns

​Approval Flow

​Path Restrictions

​Testing Your Sandbox

Overview

Sandbox Modes

Tool Policies

Blocked Patterns

Approval Flow

Path Restrictions

Testing Your Sandbox