Security Sandbox
Provides defense-in-depth security for autonomous coding operations through command validation, allowlists, and execution hooks.
Quick Start
Validate a Command
python
from scripts.command_validator import validate_command
result = validate_command("npm install express")
if result.allowed:
# Safe to execute
pass
else:
print(f"Blocked: {result.reason}")
Use Security Hook
python
from scripts.security_manager import create_bash_security_hook
hook = create_bash_security_hook()
# Hook returns decision for Claude SDK
decision = await hook({
"tool_input": {"command": "rm -rf /"}
})
# decision = {"decision": "block", "reason": "Command 'rm' requires approval"}
Configure Allowlist
python
from scripts.allowlist import Allowlist
allowlist = Allowlist()
allowlist.add("docker")
allowlist.add("kubectl")
allowlist.remove("rm") # Disallow rm
Security Model
code
┌─────────────────────────────────────────────────────────────┐ │ DEFENSE IN DEPTH │ ├─────────────────────────────────────────────────────────────┤ │ │ │ LAYER 1: SANDBOX │ │ ├─ OS-level isolation │ │ ├─ Filesystem restrictions │ │ └─ Network limitations │ │ │ │ LAYER 2: PERMISSIONS │ │ ├─ Tool allowlist (Read, Write, Bash...) │ │ ├─ Path restrictions (./**) │ │ └─ Operation limits │ │ │ │ LAYER 3: COMMAND VALIDATION │ │ ├─ Command extraction & parsing │ │ ├─ Allowlist checking │ │ └─ Dangerous pattern detection │ │ │ │ LAYER 4: HOOKS │ │ ├─ PreToolUse validation │ │ ├─ Real-time blocking │ │ └─ Audit logging │ │ │ └─────────────────────────────────────────────────────────────┘
Default Allowlist
python
ALLOWED_COMMANDS = {
# File inspection
"ls", "cat", "head", "tail", "wc", "grep", "find",
# File operations
"cp", "mkdir", "chmod", "touch",
# Node.js
"npm", "node", "npx", "yarn", "pnpm",
# Python
"python", "python3", "pip", "pip3", "poetry",
# Version control
"git",
# Process management
"ps", "lsof", "sleep", "pkill", "kill",
# System info
"pwd", "whoami", "uname", "which", "env",
# Network (limited)
"curl", "wget",
}
Dangerous Patterns
These patterns are always blocked:
| Pattern | Risk | Example |
|---|---|---|
rm -rf / | System destruction | Wipes filesystem |
> /dev/sda | Disk corruption | Overwrites disk |
chmod 777 | Security hole | World-writable |
curl | bash | Code injection | Remote execution |
:(){ :|:& };: | Fork bomb | DoS attack |
dd if=/dev/zero | Disk fill | Resource exhaustion |
Hook Integration
python
# For Claude SDK integration
from scripts.security_manager import SecurityManager
manager = SecurityManager()
# Configure SDK with hooks
sdk_options = {
"hooks": {
"PreToolUse": [manager.pre_tool_hook]
}
}
Integration Points
- •autonomous-session-manager: Provides security during sessions
- •coding-agent: Uses hooks for safe command execution
- •autonomous-loop: Ensures safety in continuous operation
References
- •
references/ALLOWED-COMMANDS.md- Full allowlist documentation - •
references/SECURITY-MODEL.md- Security architecture - •
references/CUSTOM-RULES.md- Custom rule configuration
Scripts
- •
scripts/security_manager.py- Core security manager - •
scripts/command_validator.py- Command validation - •
scripts/allowlist.py- Allowlist management - •
scripts/sandbox_config.py- Sandbox configuration