Skip to main content
TerminalUse runs agent handlers inside a bubblewrap sandbox.

What This Means In Practice

  • Agent code is mounted read-only.
  • /workspace is mounted from the attached filesystem.
  • Task system folders such as /root/.claude and /root/.codex are mounted per task.
  • /tmp is ephemeral.
  • Network access is shared so agents can call model APIs and external services.

Current Implementation

The current runtime uses bubblewrap, not nsjail. It creates separate user, PID, IPC, and UTS namespaces, keeps network access shared, bind-mounts /proc read-only, and starts from a cleared environment before re-injecting the runtime environment.

Read-Only Workspace Mode

/workspace is not always writable. If a caller can run a task and read the filesystem but cannot update the filesystem, the runtime mounts /workspace read-only for that task. See Access Control.

What The Docs Do Not Promise

  • A sandbox wall-clock timeout is not currently enforced at the bubblewrap runner layer.
  • CLI approval prompts are not part of TerminalUse itself; approval behavior belongs to the tool you run inside the agent.