Sandbox capabilities

Celistra wraps every spawned agent in a kernel-enforced sandbox by default. This is a feature page — for the deep dive, see Sandboxing Claude Code on macOS.

The default policy

• workspace_rw — read+write inside the chosen workspace folder
• read_anywhere — read everywhere on the filesystem
• network — outbound network
• subprocess — fork/exec child processes

That's the right policy 95% of the time. The agent can read your code, hit the internet, run git / npm / cargo, but cannot write outside the workspace.

Per-agent grants

For the cases that need more: edit ~/.celistra_capabilities.json from the tray. Each grant is a match block (agent name pattern, source, command) plus a list of capabilities to add. AND within a grant, OR across grants.

Capability tokens

workspace_rw · read_anywhere · network · subprocess · screen_capture · accessibility · full_disk_access · read:<path> · write:<path> · exec:<path> · privileged

Audit log

Every spawn, every grant, every kernel block decision goes into the hash-chained audit log. Hourly verification. View it via the dashboard's Activity panel (live SSE stream).

Master switch

"Sandbox: ON / OFF" in the tray menu — for the rare unrestricted run. The toggle event is itself audited.

Linux & Windows

Linux uses bubblewrap with the same capability mapping. Windows uses Win32 Job Objects + AppContainer for the equivalent containment. Same JSON config, different profile generator.