What would you like?
Acolyte should treat the workspace as a first-class sandbox boundary for all agent tool filesystem access.
Tools should have broad access inside the sandbox and no access outside it.
This boundary should be enforced consistently regardless of workflow or invocation path.
Motivation
Security should be a core product behavior, not an optional mode.
A single sandbox model makes the trust boundary clear for users and maintainers.
It also reduces ambiguity around what agent tools can and cannot touch.
Proposed approach
Introduce a canonical workspace-sandbox boundary concept that defines and validates the active sandbox root per session.
Use resolved-path enforcement so boundary checks are based on the real target path, not only input strings.
When a tool request crosses the boundary, return a structured sandbox violation error.
Scope
- Workspace sandbox boundary definition
- Canonical workspace-sandbox module ownership
- Tool-entry sandbox enforcement across runtime and debug invocations
- Structured sandbox violation error contract
- Documentation updates for sandbox semantics
What would you like?
Acolyte should treat the workspace as a first-class sandbox boundary for all agent tool filesystem access.
Tools should have broad access inside the sandbox and no access outside it.
This boundary should be enforced consistently regardless of workflow or invocation path.
Motivation
Security should be a core product behavior, not an optional mode.
A single sandbox model makes the trust boundary clear for users and maintainers.
It also reduces ambiguity around what agent tools can and cannot touch.
Proposed approach
Introduce a canonical workspace-sandbox boundary concept that defines and validates the active sandbox root per session.
Use resolved-path enforcement so boundary checks are based on the real target path, not only input strings.
When a tool request crosses the boundary, return a structured sandbox violation error.
Scope