The summary
The row that matters is the reads one. The others are the same.
macOS and Linux: nothing exists until it is allowed
Reads are denied by default. The agent does not see the filesystem and is given access to a small set: the worktree, temp, the agent’s own directories. The practical effect is what you expect from a sandbox:- Your
~/.sshis not “forbidden” — it does not exist in the agent’s world. - A repository of yours in another folder does not exist.
- The
.envof the project next door does not exist. - A secret path nobody anticipated also does not exist, because nothing exists by default.
Content, not metadata. The agent can check whether a file exists, its size and its date. Only the content is denied by default — resolving paths is necessary for any program to work.
bubblewrap is a hard dependency — without it, the core refuses to create agent sessions. Distributions with unprivileged user namespaces disabled refuse the session with an explicit message.
Codex has its own containment on macOS. TYBA’s Seatbelt does not wrap Codex — nesting the two policies fails on the system. Codex applies its own native Seatbelt per command. It is real containment, but it is not the same one, and restricting Codex’s reads to Claude Code’s level is still pending work.
Windows: open by default, with a list of closed secrets
The jail is a restricted token with Integrity Level Low and a synthetic SID per session. It is solid at what it sets out to do: writes are confined to the worktree by ACE, and writing outside is denied. Just like on the other systems, it is fail-closed — if it fails, the agent does not start. But the read model is inverted. Instead of denying everything and opening exceptions, it leaves things open and closes a list of known secrets:What this means in practice
What is on the list is protected. Your SSH keys and cloud credentials are just as inaccessible on Windows as on macOS. What is not on the list, the agent reads. For example:- The
.envof any other project of yours. - Any other repository on your machine.
- Your Documents, your Desktop.
Why it is like this
Deny-by-default reads on Windows would require AppContainer, and TYBA chose not to use it — the compatibility cost would make the agents the product exists to run unviable. The restricted token is the mechanism that gets the agent to start. It is an accepted tradeoff, not an oversight. But it changes the guarantee, and you deserve to know that before installing, not after.What to do about it
If your threat model is “I want to run an agent without it reading my keys”, Windows delivers. If it is “I want to run an agent such that it sees nothing beyond the current project”, Windows does not deliver today. Use macOS or Linux.read_allow on Windows
The sandbox.read_allow field from the user config has no effect on Windows. It is accepted and validated, but discarded.
Nothing is lost: since reads are already open, everything it could grant is already granted. And what it cannot grant — the secrets on the list — it cannot grant on macOS either, where denials beat any permission.
What holds the same everywhere
These guarantees do not depend on the platform:- An agent pushing to
main/masteris refused by the core. Always. - The agent does not have your credentials. Push, fetch and merge are executed by TYBA, outside the jail. The agent’s session never had an authenticated network.
- Shared refs only in the
refs/heads/tyba/namespace. A compromised agent does not move your localmain. - The agent’s commits are not signed. They are born in a disposable worktree and reviewed by you before anything leaves the machine.
- Every action goes through the approval gate, with the same risk classification.
See also
- Risk classification — what needs your approval
- User configuration —
sandbox.read_allow