Security Sandbox
Provides defense-in-depth security for autonomous coding operations through command validation, allowlists, and execution hooks.
Quick Start
Validate a Command
from scripts.command_validator import validate_command
result = validate_command("npm install express")
if result.allowed:
# Safe to execute
pass
else:
print(f"Blocked: {result.reason}")
Use Security Hook
from scripts.security_manager import create_bash_security_hook
hook = create_bash_security_hook()
# Hook returns decision for Claude SDK
decision = await hook({
"tool_input": {"command": "rm -rf /"}
})
# decision = {"decision": "block", "reason": "Command 'rm' requires approval"}
Configure Allowlist
from scripts.allowlist import Allowlist
allowlist = Allowlist()
allowlist.add("docker")
allowlist.add("kubectl")
allowlist.remove("rm") # Disallow rm
Security Model
┌─────────────────────────────────────────────────────────────┐
│ DEFENSE IN DEPTH │
├─────────────────────────────────────────────────────────────┤
│ │
│ LAYER 1: SANDBOX │
│ ├─ OS-level isolation │
│ ├─ Filesystem restrictions │
│ └─ Network limitations │
│ │
│ LAYER 2: PERMISSIONS │
│ ├─ Tool allowlist (Read, Write, Bash...) │
│ ├─ Path restrictions (./**) │
│ └─ Operation limits │
│ │
│ LAYER 3: COMMAND VALIDATION │
│ ├─ Command extraction & parsing │
│ ├─ Allowlist checking │
│ └─ Dangerous pattern detection │
│ │
│ LAYER 4: HOOKS │
│ ├─ PreToolUse validation │
│ ├─ Real-time blocking │
│ └─ Audit logging │
│ │
└─────────────────────────────────────────────────────────────┘
Default Allowlist
ALLOWED_COMMANDS = {
# File inspection
"ls", "cat", "head", "tail", "wc", "grep", "find",
# File operations
"cp", "mkdir", "chmod", "touch",
# Node.js
"npm", "node", "npx", "yarn", "pnpm",
# Python
"python", "python3", "pip", "pip3", "poetry",
# Version control
"git",
# Process management
"ps", "lsof", "sleep", "pkill", "kill",
# System info
"pwd", "whoami", "uname", "which", "env",
# Network (limited)
"curl", "wget",
}
Dangerous Patterns
These patterns are always blocked:
| Pattern | Risk | Example |
|---|---|---|
rm -rf / | System destruction | Wipes filesystem |
> /dev/sda | Disk corruption | Overwrites disk |
chmod 777 | Security hole | World-writable |
curl | bash | Code injection | Remote execution |
:(){ :|:& };: | Fork bomb | DoS attack |
dd if=/dev/zero | Disk fill | Resource exhaustion |
Hook Integration
# For Claude SDK integration
from scripts.security_manager import SecurityManager
manager = SecurityManager()
# Configure SDK with hooks
sdk_options = {
"hooks": {
"PreToolUse": [manager.pre_tool_hook]
}
}
Integration Points
- autonomous-session-manager: Provides security during sessions
- coding-agent: Uses hooks for safe command execution
- autonomous-loop: Ensures safety in continuous operation
References
references/ALLOWED-COMMANDS.md- Full allowlist documentationreferences/SECURITY-MODEL.md- Security architecturereferences/CUSTOM-RULES.md- Custom rule configuration
Scripts
scripts/security_manager.py- Core security managerscripts/command_validator.py- Command validationscripts/allowlist.py- Allowlist managementscripts/sandbox_config.py- Sandbox configuration