[sandbox.os.command_tools]
Each entry is either a bare bundle-name string like "git" (shorthand for the bundle’s defaults) or a table { tool = "<name>", … } that overrides per-bundle knobs.
Bundles
Section titled “Bundles”git — read binds for ~/.gitconfig, ~/.config/git, /etc/gitconfig; forwards GITHUB_TOKEN + GIT_AUTHOR_* / GIT_COMMITTER_* to git:* patterns.
default_domains
Section titled “default_domains”When true, add the bundle’s curated default domains to the custom domains list. Default false.
domains
Section titled “domains”Network domains this bundle may reach instead of its curated default list. Omit to use the curated default; set an empty list for no network access.
gh_creds
Section titled “gh_creds”Whether to use gh auth git-credential for HTTPS git credentials. Omit for automatic wiring when the gh bundle is also enabled.
wrappers
Section titled “wrappers”Additional wrapper command prefixes that activate this bundle, unioned with [sandbox.os].wrappers. Omit for no per-entry wrappers.
gh — read bind for ~/.config/gh; forwards GH_TOKEN + GITHUB_TOKEN to gh:*. Ships a D-Bus filter rule (--talk=org.freedesktop.secrets) so keyring-stored tokens (gh auth login prefers libsecret on hosts with a Secret Service) work inside the sandbox via the per-spawn filtered proxy — when xdg-dbus-proxy is installed and a host session bus is reachable; otherwise the spawn gets DBUS_SESSION_BUS_ADDRESS=disabled: so the keyring probe fails fast and file-based auth (hosts.yml) takes over. On macOS the bundle gets read-write keychain access instead: the profile opens com.apple.securityd + ~/Library/Keychains so gh’s keychain-stored token resolves.
default_domains
Section titled “default_domains”When true, add the bundle’s curated default domains to the custom domains list. Default false.
domains
Section titled “domains”Network domains this bundle may reach instead of its curated default list. Omit to use the curated default; set an empty list for no network access.
wrappers
Section titled “wrappers”Additional wrapper command prefixes that activate this bundle, unioned with [sandbox.os].wrappers. Omit for no per-entry wrappers.
jj — read binds for ~/.config/jj, ~/.jjconfig.toml, and the global git-config search path (~/.gitconfig, ~/.config/git, /etc/gitconfig) that jj’s gitoxide backend reads on every invocation; forwards JJ_USER / JJ_EMAIL / JJ_EDITOR to jj:*.
default_domains
Section titled “default_domains”When true, add the bundle’s curated default domains to the custom domains list. Default false.
domains
Section titled “domains”Network domains this bundle may reach instead of its curated default list. Omit to use the curated default; set an empty list for no network access.
gh_creds
Section titled “gh_creds”Whether to use gh auth git-credential for HTTPS git credentials. Omit for automatic wiring when the gh bundle is also enabled.
wrappers
Section titled “wrappers”Additional wrapper command prefixes that activate this bundle, unioned with [sandbox.os].wrappers. Omit for no per-entry wrappers.
gt — Graphite CLI (gt). RW bind for ~/.config/graphite (gt auth --token writes user_config there; subsequent gt invocations read AND rewrite it on startup — updateAutomatically is bumped on version change. The same dir holds aliases); RW bind for ~/.local/share/graphite/debug (per-invocation debug log dir that gt feedback ships to Graphite support); project-relative RW bind for .git (gt writes its per-repo metadata to <repo>/.git/.graphite_repo_config). gt submit shells out to git push over HTTPS, so the bundle can use gh auth git-credential when the gh bundle is also enabled. Default network = github (*.github.com) + graphite (*.graphite.com, *.graphite.dev — graphite’s CLI talks to both api.graphite.com for stack metadata and historically api.graphite.dev during the .com → .dev migration).
default_domains
Section titled “default_domains”When true, add the bundle’s curated default domains to the custom domains list. Default false.
domains
Section titled “domains”Network domains this bundle may reach instead of its curated default list. Omit to use the curated default; set an empty list for no network access.
gh_creds
Section titled “gh_creds”Whether to use gh auth git-credential for HTTPS git credentials. Omit for automatic wiring when the gh bundle is also enabled.
wrappers
Section titled “wrappers”Additional wrapper command prefixes that activate this bundle, unioned with [sandbox.os].wrappers. Omit for no per-entry wrappers.
linear
Section titled “linear”linear — read bind for ~/.config/linear-cli; forwards LINEAR_API_KEY to linear:*.
default_domains
Section titled “default_domains”When true, add the bundle’s curated default domains to the custom domains list. Default false.
domains
Section titled “domains”Network domains this bundle may reach instead of its curated default list. Omit to use the curated default; set an empty list for no network access.
wrappers
Section titled “wrappers”Additional wrapper command prefixes that activate this bundle, unioned with [sandbox.os].wrappers. Omit for no per-entry wrappers.
bk — Buildkite CLI. Read bind for ~/.config/bk.yaml (the org selection bk use writes); forwards BUILDKITE_API_TOKEN to bk:*. Ships a D-Bus filter rule (--talk=org.freedesktop.secrets) so the keychain-stored token (bk auth login stores it via the Secret Service on Linux) works inside the sandbox via the per-spawn filtered proxy when xdg-dbus-proxy and a host session bus are available; otherwise the env-var token path takes over.
default_domains
Section titled “default_domains”When true, add the bundle’s curated default domains to the custom domains list. Default false.
domains
Section titled “domains”Network domains this bundle may reach instead of its curated default list. Omit to use the curated default; set an empty list for no network access.
wrappers
Section titled “wrappers”Additional wrapper command prefixes that activate this bundle, unioned with [sandbox.os].wrappers. Omit for no per-entry wrappers.
cargo — read bind for ~/.cargo/config.toml; RW or RO for ~/.cargo/registry/{cache,src,index} depending on the fetch knob (RW by default to let in-sandbox builds populate the registry cache on a miss). Forwards CARGO_* env vars to cargo:*.
default_domains
Section titled “default_domains”When true, add the bundle’s curated default domains to the custom domains list. Default false.
domains
Section titled “domains”Network domains this bundle may reach instead of its curated default list. Omit to use the curated default; set an empty list for no network access.
When true, bind Cargo registry cache directories read-write so builds can fetch missing crates. Default true; set false for read-only registry caches.
install
Section titled “install”When true, bind the tool’s global install destination read-write. Default false.
sccache
Section titled “sccache”Tri-state knob for the cargo bundle’s sccache support.
off(default): no sccache binds, environment passthrough, or daemon supervision.manual: add the sccache cache directory plusRUSTC_WRAPPERandSCCACHE_*environment passthrough. The user runs the sccache daemon if they want one.on: same sandbox surface asmanual, and Seal also supervises the host sccache daemon for the session.
Older boolean values are not accepted; use one of the string values above.
| Value | Meaning |
|---|---|
"off" | No sccache surface added by the bundle. Default. |
"manual" | Bundle adds binds + env. User supervises sccache themselves. |
"on" | Bundle adds binds + env. seal-daemon supervises sccache. |
wrappers
Section titled “wrappers”Additional wrapper command prefixes that activate this bundle, unioned with [sandbox.os].wrappers. Omit for no per-entry wrappers.
node — read binds for ~/.npmrc, ~/.node_modules, plus ~/.nvm and ~/.fnm (for nvm / fnm version managers, which the node shim on PATH consults to pick a toolchain at exec time). Forwards NODE_OPTIONS, NODE_PATH, NODE_ENV, NVM_DIR, FNM_* to node:*. No write binds — node itself doesn’t manage caches. Default network = npm registry so dynamic import('npm:...') and fetch() to the registry work.
default_domains
Section titled “default_domains”When true, add the bundle’s curated default domains to the custom domains list. Default false.
domains
Section titled “domains”Network domains this bundle may reach instead of its curated default list. Omit to use the curated default; set an empty list for no network access.
wrappers
Section titled “wrappers”Additional wrapper command prefixes that activate this bundle, unioned with [sandbox.os].wrappers. Omit for no per-entry wrappers.
npm / npx — read bind for ~/.npmrc and ~/.config/npm; RW bind for ~/.npm (the install cache); forwards NPM_TOKEN, NPM_CONFIG_*, NODE_AUTH_TOKEN to npm:* and npx:*. Default network = npm registry.
default_domains
Section titled “default_domains”When true, add the bundle’s curated default domains to the custom domains list. Default false.
domains
Section titled “domains”Network domains this bundle may reach instead of its curated default list. Omit to use the curated default; set an empty list for no network access.
wrappers
Section titled “wrappers”Additional wrapper command prefixes that activate this bundle, unioned with [sandbox.os].wrappers. Omit for no per-entry wrappers.
bun / bunx — read bind for ~/.bunfig.toml; RW bind for ~/.bun/install/cache (bun’s dep cache); forwards BUN_INSTALL, BUN_CONFIG_*, NPM_TOKEN, NODE_AUTH_TOKEN to bun:* and bunx:*. Default network = npm registry + bun.sh (for runtime self-update probes).
default_domains
Section titled “default_domains”When true, add the bundle’s curated default domains to the custom domains list. Default false.
domains
Section titled “domains”Network domains this bundle may reach instead of its curated default list. Omit to use the curated default; set an empty list for no network access.
install
Section titled “install”When true, bind the tool’s global install destination read-write. Default false.
wrappers
Section titled “wrappers”Additional wrapper command prefixes that activate this bundle, unioned with [sandbox.os].wrappers. Omit for no per-entry wrappers.
yarn — read binds for ~/.yarnrc (classic), ~/.yarnrc.yml (berry), ~/.config/yarn; RW binds for ~/.yarn and ~/.cache/yarn (the install + content caches). Forwards YARN_*, NPM_TOKEN, NODE_AUTH_TOKEN to yarn:*. Default network = npm registry + registry.yarnpkg.com.
default_domains
Section titled “default_domains”When true, add the bundle’s curated default domains to the custom domains list. Default false.
domains
Section titled “domains”Network domains this bundle may reach instead of its curated default list. Omit to use the curated default; set an empty list for no network access.
wrappers
Section titled “wrappers”Additional wrapper command prefixes that activate this bundle, unioned with [sandbox.os].wrappers. Omit for no per-entry wrappers.
pnpm / pnpx — read binds for ~/.npmrc and ~/.config/pnpm; RW bind for ~/.local/share/pnpm (the content-addressable store). Forwards PNPM_HOME, NPM_*, NODE_AUTH_TOKEN to pnpm:* and pnpx:*. Default network = npm registry.
default_domains
Section titled “default_domains”When true, add the bundle’s curated default domains to the custom domains list. Default false.
domains
Section titled “domains”Network domains this bundle may reach instead of its curated default list. Omit to use the curated default; set an empty list for no network access.
wrappers
Section titled “wrappers”Additional wrapper command prefixes that activate this bundle, unioned with [sandbox.os].wrappers. Omit for no per-entry wrappers.
direnv
Section titled “direnv”direnv — read bind for ~/.config/direnv; RW bind for ~/.local/share/direnv (the per-.envrc allow-store direnv writes the first time it sees a body). Forwards DIRENV_*, XDG_DATA_HOME, XDG_CONFIG_HOME. The bundle is the user-facing opt-in for sandboxed direnv exec wrapping — without it, [command_run] envrc_mode = "trust" (or any approved .envrc) used to bypass the sandbox entirely; with it, the wrapped spawn runs inside bwrap and direnv has the RW it needs to record allow-store entries. No curated domains (direnv itself doesn’t network); workspaces that use flake etc. add upstream cache hosts via { tool = "direnv", domains = [...] }.
bundles
Section titled “bundles”Other command_tools bundles to additionally apply under the direnv exec wrap. When the spawn is wrapped (an approved .envrc is visible), each named bundle’s binds + env + network apply as if it were the wrap target — so a devenv .envrc lists ["devenv"] (and ["devenv", "proto"] when the shell’s enterShell runs proto activate). Each named bundle must also be enabled in command_tools. Omit for none.
default_domains
Section titled “default_domains”When true, add the bundle’s curated default domains to the custom domains list. Default false.
domains
Section titled “domains”Network domains this bundle may reach instead of its curated default list. Omit to use the curated default; set an empty list for no network access.
wrappers
Section titled “wrappers”Additional wrapper command prefixes that activate this bundle, unioned with [sandbox.os].wrappers. Omit for no per-entry wrappers.
nix — read binds for ~/.config/nix, ~/.nix-defexpr, ~/.nix-profile, /etc/nix, /nix (the store itself, RO — every nix invocation walks /nix to resolve derivations); RW bind for ~/.local/state/nix (per-user state under XDG_STATE_HOME: profile manifests, GC roots, flake lock state). Forwards the standard NIX_* env-var set (NIX_PATH, NIX_USER_CONF_FILES, NIX_CONF_DIR, NIX_REMOTE, NIX_PROFILES, NIX_SSL_CERT_FILE) plus nixpkgs guards (NIXPKGS_ALLOW_UNFREE, NIXPKGS_ALLOW_INSECURE) and HOME_MANAGER_CONFIG. Activates on the daily-use binary set: nix itself, the classic nix-* family (nix-build, nix-shell, nix-store, nix-instantiate, nix-env, nix-channel, nix-collect-garbage, nix-copy-closure, nix-hash, nix-info, nix-prefetch-url), the lint trio (nixfmt, statix, deadnix), nixd (the LSP), nixos-rebuild, and home-manager. Host-bringup tools (nixos-install / nixos-enter / nixos-generate-config) are deliberately omitted — they need root + extensive system mounts and aren’t part of the in-sandbox dev workflow. Default network = the public substituters (cache.nixos.org, *.cachix.org), channel endpoints (channels.nixos.org, *.nixos.org, releases.nixos.org, nixos.org), and GitHub (github.com, api.github.com, *.github.com, codeload.github.com, raw.githubusercontent.com) since flake inputs typically pull from github:... references. *.githubusercontent.com is NOT used here — githubusercontent.com is a public suffix per the PSL, so the bare wildcard would fail PSL validation (same constraint the gh bundle hits with release-assets.githubusercontent.com). On macOS, grants a connect(2) to the nix daemon control socket at /nix/var/nix/daemon-socket/socket so daemon-backed commands (nix flake update, nix build) work inside the sandbox.
default_domains
Section titled “default_domains”When true, add the bundle’s curated default domains to the custom domains list. Default false.
domains
Section titled “domains”Network domains this bundle may reach instead of its curated default list. Omit to use the curated default; set an empty list for no network access.
wrappers
Section titled “wrappers”Additional wrapper command prefixes that activate this bundle, unioned with [sandbox.os].wrappers. Omit for no per-entry wrappers.
coderabbit
Section titled “coderabbit”coderabbit / cr — Seal’s headless flow passes --api-key "$CODERABBIT_API_KEY" per the docs.coderabbit.ai/cli/headless-cli-integration docs, so the bundle needs NO read or write file binds for auth. --api-key does NOT bypass the secret store, though: CodeRabbit persists the key into libsecret / the Secret Service regardless of how it’s passed, so the CLI talks to the session keyring over D-Bus on every run. The bundle’s D-Bus filter routes that traffic through a per-spawn filtered proxy (--talk=org.freedesktop.secrets) so the keyring store/read works inside the sandbox — when xdg-dbus-proxy is installed and a host session bus is reachable — without exposing the rest of the session bus. When the proxy can’t start, the spawn gets DBUS_SESSION_BUS_ADDRESS=disabled: instead so the keyring call fails fast. Forwards CODERABBIT_API_KEY, CODERABBIT_* (future-knob glob), and GITHUB_PERSONAL_ACCESS_TOKEN (the CLI needs a GitHub PAT for repo access). Default network = api.coderabbit.ai + coderabbit.ai + *.coderabbit.ai + cli.coderabbit.ai (the install host; the CLI probes it for update checks) + GitHub + us.i.posthog.com (the CLI’s startup telemetry call is load-bearing — a blocked response stalls cr review). Activates on coderabbit and the documented cr short alias. On macOS the bundle gets read-write keychain access instead of the D-Bus filter: the profile opens com.apple.securityd + ~/Library/Keychains so cr’s keychain probe resolves.
default_domains
Section titled “default_domains”When true, add the bundle’s curated default domains to the custom domains list. Default false.
domains
Section titled “domains”Network domains this bundle may reach instead of its curated default list. Omit to use the curated default; set an empty list for no network access.
wrappers
Section titled “wrappers”Additional wrapper command prefixes that activate this bundle, unioned with [sandbox.os].wrappers. Omit for no per-entry wrappers.
greptile
Section titled “greptile”greptile — read + write bind for ~/.greptile (the CLI stores config + reviews.json + update-check.json as plain JSON in a dotfile dir; no keychain). Auth happens via greptile auth login (drops a token file into ~/.greptile/) — there’s no env-var auth flag the CLI reads, so the documented auth path is the token file under the RW bind. Forwards the GREPTILE_* future-knob glob (model selection / base-URL override), which also incidentally captures GREPTILE_API_KEY if set — that’s intentional bundle scope, and the CLI itself ignores the env var in favor of the dotfile token. Also forwards GITHUB_PERSONAL_ACCESS_TOKEN (the CLI uses a GitHub PAT for repo access, surfaced via strace). Default network = *.greptile.com + GitHub (github.com, api.github.com, *.github.com, raw.githubusercontent.com for raw-content fetches against 185.199.108-111.133 and the Cloudflare-edge IPv6 range — bare literal because githubusercontent.com is a public suffix per the PSL). Activates on greptile.
default_domains
Section titled “default_domains”When true, add the bundle’s curated default domains to the custom domains list. Default false.
domains
Section titled “domains”Network domains this bundle may reach instead of its curated default list. Omit to use the curated default; set an empty list for no network access.
wrappers
Section titled “wrappers”Additional wrapper command prefixes that activate this bundle, unioned with [sandbox.os].wrappers. Omit for no per-entry wrappers.
devenv
Section titled “devenv”devenv — the reproducible dev-shell tool (nix underneath). devenv shells out to nix to build the environment, so this bundle is a superset of the nix bundle’s surface plus devenv’s own state. Read binds for the nix config search path (~/.config/nix, ~/.nix-defexpr, ~/.nix-profile, /etc/nix, /nix) plus ~/.config/nixpkgs (user overlay lookups). RW binds for ~/.local/state/nix (nix per-user state), ~/.cache/nix (nix’s eval + fetcher sqlite caches — devenv writes these on every build), ~/.local/share/devenv (devenv’s own state: gc roots, cachix trusted-keys), and ~/.cache/wasmtime (devenv runs its modules through wasmtime and writes the module cache). Project-relative RW bind for .devenv (the per-project build dir). Forwards the NIX_* env set + HOME_MANAGER_CONFIG + nixpkgs guards + DEVENV_*. Default network = the nix substituters + channels + GitHub (flake inputs + codeload.github.com for the …/archive/<rev>.tar.gz fetches devenv-nixpkgs uses) + *.cachix.org + devenv.cachix.org (devenv’s own binary cache). The bundle is designed to be referenced from a direnv entry’s bundles list so it applies under the direnv exec wrap; it does NOT hardcode any language-toolchain manager (proto etc.) — chain those via bundles = ["devenv", "proto"].
default_domains
Section titled “default_domains”When true, add the bundle’s curated default domains to the custom domains list. Default false.
domains
Section titled “domains”Network domains this bundle may reach instead of its curated default list. Omit to use the curated default; set an empty list for no network access.
wrappers
Section titled “wrappers”Additional wrapper command prefixes that activate this bundle, unioned with [sandbox.os].wrappers. Omit for no per-entry wrappers.
proto — the moonrepo toolchain version manager. RW bind for ~/.proto (its whole tree: bin, shims, tools, plugins, temp, the activate hook dirs — proto writes across all of them on install + activate). Forwards PROTO_*. Default network = GitHub (proto fetches its WASM plugins from moonrepo/plugins releases + codeload.github.com archive tarballs) plus the language-toolchain download hosts proto resolves (nodejs.org, bun.sh, static.rust-lang.org). Scoped to proto’s own state so a devenv enterShell that runs proto activate works end-to-end under the direnv wrap.
default_domains
Section titled “default_domains”When true, add the bundle’s curated default domains to the custom domains list. Default false.
domains
Section titled “domains”Network domains this bundle may reach instead of its curated default list. Omit to use the curated default; set an empty list for no network access.
wrappers
Section titled “wrappers”Additional wrapper command prefixes that activate this bundle, unioned with [sandbox.os].wrappers. Omit for no per-entry wrappers.