Skip to content
/ pi-sandbox Public

OS-level sandboxing for pi with interactive permission prompts

pi.dev/packages

License

MIT license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

carderne/pi-sandbox

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.github/workflows
.github/workflows
 
 
demo
demo
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
index.ts
index.ts
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

pi-sandbox

Sandbox for pi.

Sandboxes pi like this:

  • read/write/edit: direct control using allow/deny lists
  • bash: uses Anthropic Sandbox Runtime to control network and file system access

When a blocked action is attempted, the user is prompted to allow it temporarily or permanently rather than silently failing.

demo

Quickstart

Install

pi install npm:pi-sandbox

Configure

Add a config like this either to ~/.pi/agent (global) or to .pi/sandbox.json (local). Local config takes precedence over global.

{
  "enabled": true,
  "network": {
    "allowedDomains": ["github.com", "*.github.com"],
    "deniedDomains": []
  },
  "filesystem": {
    "denyRead": ["~/.ssh", "~/.aws", "~/.gnupg"],
    "allowWrite": [".", "/tmp"],
    "denyWrite": [".env", ".env.*", "*.pem", "*.key"]
  }
}

Usage

pi --no-sandbox          disable sandboxing for the session
/sandbox                 show current configuration and session allowances

What it does

Bash commands are wrapped with sandbox-exec (macOS) or bubblewrap (Linux) to enforce network and filesystem restrictions at the OS level.

Read, write, and edit tool calls are intercepted before execution and checked against the same filesystem policy. The OS-level sandbox cannot cover these tools because they run directly in the Node.js process rather than in a subprocess.

When a block is triggered, a prompt appears with four options:

  • Abort (keep blocked)
  • Allow for this session only
  • Allow for this project — written to .pi/sandbox.json
  • Allow for all projects — written to ~/.pi/agent/sandbox.json

Session allowances are held in memory only. They are never written to disk and the agent has no way to read or modify them. They are reset when the extension reloads or pi restarts.

What is prompted vs. hard-blocked

Rule Behaviour
Domain not in allowedDomains Prompted (bash and !cmd)
Path not in allowWrite Prompted (write/edit tools and bash write failures)
Path in denyRead Hard-blocked, no prompt
Path in denyWrite Hard-blocked, no prompt
Domain in deniedDomains Hard-blocked at OS level, no prompt

If a path is added to allowWrite via a prompt but is also present in denyWrite, it remains blocked. A warning is shown explaining which config files to check.

allowedDomains supports *.example.com wildcards. allowWrite uses prefix matching, so . covers the entire current working directory. denyWrite takes precedence over allowWrite.

If neither file exists, built-in defaults apply (see above for the defaults).

The footer shows a lock indicator while the sandbox is active.

Ackowledgements

Based on code from badlogic/pi-mono by Mario Zechner, used under the MIT License.

About

OS-level sandboxing for pi with interactive permission prompts

pi.dev/packages

Topics

pi-package

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 2

v0.1.7 Latest
Feb 19, 2026
+ 1 release

Languages