Description
The OS sandbox workspace profile ([tools.sandbox] enabled=true profile=\"workspace\") causes basic shell commands to fail with exit code 1 on macOS. Even simple commands like echo hello return no output and exit code 1 when the Seatbelt sandbox is active.
The root cause is that the generated .sb (TinyScheme) profile grants file-read* on specific subpaths (/usr, /bin, /sbin, /lib) but does not include the file-read-data and file-read-metadata operations that bash requires to load shared libraries and resolve its own runtime environment.
Reproduction Steps
- Add
[tools.sandbox] enabled=true profile=\"workspace\" strict=false to config
- Start agent:
cargo run --features full -- --config /tmp/testing-sandbox.toml
- Send:
use the bash tool to run: echo hello from sandbox
- Observe: no output, exit code 1 in audit log
Without sandbox: exit code 0, output hello from sandbox (correct).
Expected Behavior
Basic shell commands (echo, ls, pwd) should succeed under the workspace sandbox profile. The Workspace profile is intended to restrict filesystem writes and network access — not to break command execution entirely.
Actual Behavior
echo hello from sandbox → exit code 1, no output- Audit log:
\"exit_code\": 1
- Log:
OS sandbox enabled backend=\"macos-seatbelt\"
Manual test confirmed the missing operations:
# Fails (exit 134 SIGABRT) — matches what the agent does:
sandbox-exec -f profile.sb /bin/bash -c "echo hello"
# Works — needs file-read-data + file-read-metadata:
sandbox-exec -f profile-with-extras.sb /bin/bash -c "echo hello"
Root Cause
generate_sb_profile() in crates/zeph-tools/src/sandbox/macos.rs includes (allow file-read* (subpath ...)) rules, but this does not cover file-read-data and file-read-metadata operations outside the allowed subpaths. bash needs these to load dylibs from the macOS dynamic linker cache (DYLD), which resides outside the listed paths on modern macOS.
Fix: add (allow file-read-data) and (allow file-read-metadata) globally to the workspace profile, or expand the allowed subpaths to include the dyld shared cache location (/System/Library/dyld/, /.file).
Environment
- Version: 0.19.1, HEAD bea46eb
- Platform: macOS (Darwin 25.4.0)
- Feature:
full
- Config:
[tools.sandbox] enabled=true profile=\"workspace\" strict=false backend=\"auto\"
Logs / Evidence
Audit log entry with sandbox enabled:
{"tool":"shell","command":"echo hello from sandbox","result":{"type":"success"},"duration_ms":17,"exit_code":1}Audit log entry without sandbox:
{"tool":"shell","command":"echo hello from sandbox","result":{"type":"success"},"duration_ms":5,"exit_code":0,"truncated":true}Session log: INFO zeph::agent_setup: OS sandbox enabled backend="macos-seatbelt"
Description
The OS sandbox workspace profile (
[tools.sandbox] enabled=true profile=\"workspace\") causes basic shell commands to fail with exit code 1 on macOS. Even simple commands likeecho helloreturn no output and exit code 1 when the Seatbelt sandbox is active.The root cause is that the generated
.sb(TinyScheme) profile grantsfile-read*on specific subpaths (/usr,/bin,/sbin,/lib) but does not include thefile-read-dataandfile-read-metadataoperations that bash requires to load shared libraries and resolve its own runtime environment.Reproduction Steps
[tools.sandbox] enabled=true profile=\"workspace\" strict=falseto configcargo run --features full -- --config /tmp/testing-sandbox.tomluse the bash tool to run: echo hello from sandboxWithout sandbox: exit code 0, output
hello from sandbox(correct).Expected Behavior
Basic shell commands (
echo,ls,pwd) should succeed under the workspace sandbox profile. The Workspace profile is intended to restrict filesystem writes and network access — not to break command execution entirely.Actual Behavior
echo hello from sandbox→ exit code 1, no output\"exit_code\": 1OS sandbox enabled backend=\"macos-seatbelt\"Manual test confirmed the missing operations:
Root Cause
generate_sb_profile()incrates/zeph-tools/src/sandbox/macos.rsincludes(allow file-read* (subpath ...))rules, but this does not coverfile-read-dataandfile-read-metadataoperations outside the allowed subpaths. bash needs these to load dylibs from the macOS dynamic linker cache (DYLD), which resides outside the listed paths on modern macOS.Fix: add
(allow file-read-data)and(allow file-read-metadata)globally to the workspace profile, or expand the allowed subpaths to include the dyld shared cache location (/System/Library/dyld/,/.file).Environment
full[tools.sandbox] enabled=true profile=\"workspace\" strict=false backend=\"auto\"Logs / Evidence
Audit log entry with sandbox enabled:
{"tool":"shell","command":"echo hello from sandbox","result":{"type":"success"},"duration_ms":17,"exit_code":1}Audit log entry without sandbox:
{"tool":"shell","command":"echo hello from sandbox","result":{"type":"success"},"duration_ms":5,"exit_code":0,"truncated":true}Session log:
INFO zeph::agent_setup: OS sandbox enabled backend="macos-seatbelt"