Sandbox Commands
Complete reference for all sandbox slash commands. These commands control the OS-level sandbox for bash command isolation.
Quick Reference
| Command | Arguments | Description |
|---|---|---|
/sandbox | — | Show sandbox status |
/sandbox:enable | — | Enable sandbox (auto-allow mode) |
/sandbox:disable | — | Disable sandbox |
/sandbox:mode | <auto-allow|permissions> | Set sandbox mode |
/sandbox:trust-domain | <domain> [...] | Trust network domain(s) |
/sandbox:domains | — | Show allowed domains |
/sandbox:violations | [count] | Show recent violations |
/sandbox:violations:clear | — | Clear violation log |
/sandbox
Show current sandbox status, configuration, and session statistics.
Usage:
/sandbox
Example output:
Sandbox Status:
Mode: auto-allow
Platform: darwin (macOS)
Runtime: seatbelt (sandbox-exec)
Network Proxy: running (port 54321)
Configuration:
Filesystem: writes restricted to CWD
Denied paths: 6 configured
Allowed read paths: 3 configured
Excluded commands: docker, watchman, podman
Session Stats:
Sandboxed: 42
Unsandboxed: 3
Blocked: 0
Violations: 1
What it shows:
- Current mode (
disabled,auto-allow, orpermissions) - Platform and runtime details
- Network proxy status and port
- Configuration summary
- Session statistics since sandbox was enabled
When to use:
- After enabling the sandbox to verify it's active
- To check how many commands have been sandboxed
- To review configuration at a glance
/sandbox:enable
Enable the sandbox in auto-allow mode. Starts the network proxy if network.enabled is true in your config.
Usage:
/sandbox:enable
Example output:
Sandbox enabled (auto-allow mode)
Runtime: seatbelt (macOS)
Network proxy: started on port 54321
All bash commands will now be sandboxed.
Tip: /sandbox to check status, /sandbox:disable to turn off
What happens:
- Sets sandbox mode to
auto-allow - Detects platform runtime (Seatbelt on macOS, Bubblewrap on Linux)
- Starts network proxy if network filtering is configured
- Persists the setting to your config file
- All subsequent bash commands are wrapped in the OS-level sandbox
When to use:
- Starting a development session where you want isolation
- Before running untrusted commands or scripts
- When working in a shared environment
/sandbox:disable
Disable the sandbox and stop the network proxy.
Usage:
/sandbox:disable
Example output:
Sandbox disabled
Network proxy: stopped
Bash commands will now execute without sandboxing.
What happens:
- Sets sandbox mode to
disabled - Stops the network proxy if running
- Persists the setting to your config file
- Subsequent bash commands run without sandbox wrapping
When to use:
- When sandbox restrictions interfere with your workflow
- After finishing a security-sensitive task
- When you need full filesystem or network access
/sandbox:mode
Switch between sandbox modes without disabling/re-enabling.
Usage:
/sandbox:mode <auto-allow|permissions>
Arguments:
auto-allow— Sandboxed commands run without permission promptspermissions— Prompt before each sandboxed command
Example:
/sandbox:mode permissions
Example output:
Sandbox mode set to: permissions
Sandboxed commands will now require approval before execution.
What happens:
- Changes the sandbox mode without restarting the proxy
- Persists the setting to your config file
- Takes effect immediately for the next command
When to use:
- Switching from auto-allow to permissions for a sensitive operation
- Switching back to auto-allow for faster iteration
/sandbox:trust-domain
Add one or more domains to the network proxy allowlist. Supports wildcards.
Usage:
/sandbox:trust-domain <domain> [domain2] [domain3] ...
Arguments:
domain— Domain name to allow. Supports wildcard prefix:*.example.com
Examples:
# Trust a single domain
/sandbox:trust-domain api.openai.com
# Trust multiple domains
/sandbox:trust-domain api.openai.com cdn.openai.com
# Trust all subdomains with wildcard
/sandbox:trust-domain *.openai.com
Example output:
Added to allowed domains:
+ api.openai.com
+ cdn.openai.com
Total allowed domains: 20
What happens:
- Adds domain(s) to the
network.allowedDomainslist - Updates the running proxy immediately
- Persists to your config file
Wildcard behavior:
*.github.commatchesapi.github.com,raw.github.com, etc.*.github.comdoes not matchgithub.com(bare domain)- Domain matching is case-insensitive and port-stripped
When to use:
- After a network violation blocks a domain you need
- Setting up allowlist for a new project's dependencies
- Temporarily allowing a domain for a specific task
/sandbox:domains
List all domains in the network proxy allowlist.
Usage:
/sandbox:domains
Example output:
Allowed Domains (18):
registry.npmjs.org
*.npmjs.org
pypi.org
*.pypi.org
files.pythonhosted.org
crates.io
*.crates.io
rubygems.org
github.com
*.github.com
gitlab.com
*.gitlab.com
bitbucket.org
*.bitbucket.org
*.githubusercontent.com
*.cloudflare.com
api.openai.com
cdn.openai.com
When to use:
- Reviewing which domains are allowed before enabling network filtering
- Verifying a domain was added after
/sandbox:trust-domain - Auditing network access for security review
/sandbox:violations
Show recent sandbox violations (filesystem and network).
Usage:
/sandbox:violations [count]
Arguments:
count— Number of violations to show (default: 20)
Example:
/sandbox:violations 5
Example output:
Recent Violations (5):
[filesystem] deny file-write-data /Users/me/.ssh/config
Command: echo "test" >> ~/.ssh/config
Blocked by: sandbox
Time: 2 minutes ago
[network] Blocked CONNECT to api.stripe.com:443
Command: [network] CONNECT api.stripe.com
Blocked by: proxy
Time: 5 minutes ago
[filesystem] deny file-read-data /Users/me/.aws/credentials
Command: cat ~/.aws/credentials
Blocked by: sandbox
Time: 8 minutes ago
Color coding:
- Yellow — filesystem violations
- Cyan — network violations
Violation fields:
- Type:
filesystemornetwork - Detail: What was blocked (file path or domain)
- Command: The command that triggered the violation
- Blocked by:
sandbox(OS runtime),proxy(network proxy), orconfig(excluded command) - Time: When the violation occurred
When to use:
- After a command fails unexpectedly — check if the sandbox blocked it
- Reviewing what access was attempted during a session
- Deciding which paths or domains to add to your allowlist
/sandbox:violations:clear
Clear the violation log and reset session statistics.
Usage:
/sandbox:violations:clear
Example output:
Violation log cleared.
Session stats reset.
What happens:
- Clears all recorded violations from
~/.bike4mind/violations.jsonl - Resets session counters (sandboxed, unsandboxed, blocked, violations)
When to use:
- Starting a fresh monitoring session
- After resolving all violations by updating config
- Cleaning up a large violation log
Tips
- Run
/sandboxafter enabling to verify everything is active - Use
/sandbox:violationsafter a command fails to understand what was blocked - Use
/sandbox:trust-domainwhen the network proxy blocks a needed domain — it takes effect immediately - Wildcard domains (
*.example.com) are useful for services with many subdomains - Session stats in
/sandboxgive you a quick overview of sandbox activity