Hanzo Dev

Platform Sandboxing

OS-specific sandboxing mechanisms in Hanzo Dev.

The sandboxing mechanism varies by operating system.

macOS 12+

Uses Apple Seatbelt via sandbox-exec with a profile that matches the selected --sandbox mode.

Linux

Uses Landlock plus seccomp to apply the configured sandbox policy.

In containerized environments (e.g., Docker), the host must support these APIs. If it does not, configure the container to provide isolation and run Hanzo Dev with --sandbox danger-full-access inside the container instead.

Windows

Hanzo Dev launches commands with a restricted Windows token and an allowlist tied to declared workspace roots. Writes are blocked outside those roots; common escape vectors like alternate data streams, UNC paths, and device handles are proactively denied.

The CLI also inserts stub executables (wrapping tools like ssh) ahead of the host PATH to intercept risky tools before they escape the sandbox.

Known Limitations

Running the smoketest suite currently passes 37/41 cases. The remaining gaps:

TestDescription
ADS write denied (#32)Alternate data streams can still be written inside workspace
Protected path case-variation (#33).GiT bypasses protections for .git
PATH stub bypass (#35)Workspace shim not reliably executed
Start-Process https (#41)Start-Process 'https://…' succeeds via Explorer

Contributing to Windows Sandboxing

If you can iterate on Windows sandboxing, aim to close the four smoketest failures and rerun the test suite until all 41/41 pass.

Sandboxing

How Hanzo Dev sandboxes command execution for safety.

On this page

macOS 12+
Linux
Windows
Known Limitations
Contributing to Windows Sandboxing