Every tool call is wrapped in Bubblewrap, ensuring it can only access the files and directories belonging to the project you're working on. Anything outside the project — your home directory, credentials, unrelated files — simply isn't visible inside the sandbox. Containment is enforced by the Linux kernel's mount namespaces, not by string checks.
This applies to all built-in tools, not just shell commands. File reads and writes
run through the same sandbox via a small statically-linked helper, so write_file
and edit_file are confined exactly like bash is.
Extra paths and network
A project, weave, or task can grant access to additional directories when
work genuinely spans more than one folder, and a task can disable network for
its shell commands when isolation matters. Bubblewrap requires bubblewrap to be
installed with unprivileged user namespaces enabled — see
Installation.