> ## Documentation Index
> Fetch the complete documentation index at: https://docs.argentos.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Sandboxing

> Control what your agent can do with sandboxing modes and tool policies.

## Overview

Sandboxing controls the agent's ability to interact with your system. It determines which tools are available, which operations need approval, and what actions are blocked entirely.

## Sandbox Modes

<Tabs>
  <Tab title="Unrestricted">
    ```json theme={null}
    { "security": { "mode": "unrestricted" } }
    ```

    * All tools available
    * No approval required
    * Suitable for: trusted personal environments, development
  </Tab>

  <Tab title="Sandboxed (Default)">
    ```json theme={null}
    { "security": { "mode": "sandboxed" } }
    ```

    * All tools available
    * Dangerous operations require user approval
    * Commands matching blocked patterns are rejected
    * Suitable for: most personal and team deployments
  </Tab>

  <Tab title="Locked">
    ```json theme={null}
    { "security": { "mode": "locked" } }
    ```

    * Only safe tools (memory, tasks, doc\_panel)
    * No command execution
    * No browser automation
    * Suitable for: customer-facing agents, public deployments
  </Tab>
</Tabs>

## Tool Policies

Fine-grained policies override the global sandbox mode for individual tools:

```json theme={null}
{
  "toolPolicies": {
    "exec": {
      "mode": "approval-required",
      "blockedPatterns": [
        "rm -rf",
        "sudo",
        "chmod 777",
        "mkfs",
        "> /dev/"
      ],
      "allowedPaths": [
        "/Users/sem/projects/",
        "/tmp/"
      ]
    },
    "browser": {
      "mode": "allowed",
      "blockedDomains": [
        "banking.example.com",
        "*.internal.company.com"
      ]
    },
    "memory_store": {
      "mode": "allowed"
    },
    "memory_recall": {
      "mode": "allowed"
    }
  }
}
```

## Blocked Patterns

The `blockedPatterns` array uses substring matching against the command string. If any pattern matches, the command is rejected without asking for approval.

Common patterns to block:

| Pattern      | Reason                              |           |
| ------------ | ----------------------------------- | --------- |
| `rm -rf /`   | Prevents recursive deletion of root |           |
| `sudo`       | Prevents privilege escalation       |           |
| `chmod 777`  | Prevents world-writable permissions |           |
| `mkfs`       | Prevents filesystem formatting      |           |
| `> /dev/`    | Prevents writing to device files    |           |
| \`\` :()\{ : | :& };: \`\`                         | Fork bomb |

## Approval Flow

When an operation requires approval:

<Tabs>
  <Tab title="In the Dashboard">
    A modal appears with the command or action details. The user clicks "Approve" or "Reject."
  </Tab>

  <Tab title="In Channels">
    The agent sends the command details and waits for a response like "yes" or "approved."
  </Tab>
</Tabs>

<Info>
  If no approval is received within a configurable timeout (default: 5 minutes), the operation is rejected automatically.
</Info>

## Path Restrictions

The `allowedPaths` array restricts where the exec tool can operate:

```json theme={null}
{
  "exec": {
    "allowedPaths": ["/Users/sem/projects/", "/tmp/"]
  }
}
```

Commands that attempt to access paths outside the allowed list are blocked.

## Testing Your Sandbox

```bash theme={null}
# Verify current security mode
argent config get security.mode

# Test a command against policies
argent security test "rm -rf /tmp/old-files"
```
