Sandboxing

Lime ships a custom sandbox runtime as a separate binary, srt (crates/sandbox-runtime/), used to isolate the most dangerous tool calls. It is enforced on Linux and macOS; on Windows, configuration is parsed but isolation is not applied.

Platform support

Linux uses bwrap (Bubblewrap) to create per-call mount / pid / uts / ipc / user / net namespaces. macOS uses sandbox-exec with a generated profile. On Windows the equivalent controls are the permission model and exec rules.

What srt provides

Layer	Description
Isolation	Per-call process isolation via bwrap on Linux, sandbox-exec on macOS.
Network	Network namespace (Linux) or sandbox profile (macOS) with no interface, or a restricted allow-list.
Filesystem	Read-only root, read-write workspace, optional explicit mount allow-list.

srt is invoked transparently by the runtime — there is no separate configuration step beyond the sandbox section of your settings.

Configuration

{
  "sandbox": {
    "enabled": true,
    "namespaceRestrictions": true,
    "networkIsolation": true,
    "filesystemMode": "workspace-only",
    "allowedMounts": ["/tmp", "/usr/local/share/git-core"]
  }
}

Field	Type	Default	Description
enabled	bool	false	Master switch. When false, every other field is ignored.
namespaceRestrictions	bool	true	Apply mount/pid/uts/ipc namespaces.
networkIsolation	bool	true	Enter a network namespace with no external interface.
filesystemMode	off / workspace-only / allow-list	workspace-only	Which paths are writable inside the sandbox.
allowedMounts	string[] of absolute paths	[]	Additional read-write mounts. Used when filesystemMode is allow-list and as supplementary mounts for workspace-only.

Inspect runtime status

lime sandbox       # one-shot snapshot

/sandbox           # inside the REPL

Both render:

• Whether the sandbox is enabled.
• Whether srt is on the PATH (or which path was used).
• Resolved filesystemMode and allowedMounts.
• A short test that confirms the runtime can launch a sandboxed true with the configured options.

Which tool calls go through srt?

The runtime sends a tool call through srt when all of the following hold:

1. sandbox.enabled is true.
2. The host platform is Linux or macOS.
3. The tool is in the FullAccess permission category (e.g. bash, bash_session_*, powershell, repl, enter_worktree, spawn_agents_on_csv).
4. The tool’s invocation does not declare an explicit requires_unrestricted_host flag (a small allow-list of system tools that need direct host access).

ReadOnly and WriteWorkspace tools run in-process; the permission model gates them. The sandbox is for the long tail of arbitrary code execution.

Limitations

• Windows is not enforced. Sandbox configuration is parsed but isolation is not applied; rely on the permission model and exec rules. WSL 1 is also unsupported (WSL 2 works as Linux).
• No GPU isolation. If your tool calls use the GPU, isolate at the container layer instead.
• No CPU / memory caps. Use cgroups (Linux) or your host’s process-control layer for that.

Defense in depth

The sandbox is one layer. The full stack is:

1. Hooks (PreToolUse) — write your own veto / rewrite logic.
2. Exec rules — TOML allow/deny.
3. Permission policy — per-tool allow/deny/ask + permission mode.
4. Sandbox — namespace / net / fs isolation for FullAccess calls.

Disabling any one of them does not disable the others.