Skip to content

fugue-labs/bwrap-go

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
cmd/srt
cmd/srt
 
 
docs
docs
 
 
examples
examples
 
 
internal
internal
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
config.go
config.go
 
 
go.mod
go.mod
 
 
manager.go
manager.go
 
 

Repository files navigation

bwrap-go

bwrap-go is a Go subprocess sandbox for macOS and Linux.

It is a partial Go port of Anthropic's sandbox-runtime, focused on the filesystem-confinement path you need for sleepy and gollem:

  • macOS uses sandbox-exec with generated Seatbelt profiles
  • Linux uses bubblewrap

The current sweet spot is simple and useful: wrap an untrusted or model-shaped subprocess, constrain where it can read and write, and keep the blast radius inside a worktree plus a few explicit cache/temp directories.

Current Scope

Supported:

  • macOS filesystem sandboxing
  • Linux filesystem sandboxing
  • embedding from Go
  • CLI wrapper usage via cmd/srt

Not supported:

  • Windows
  • full upstream parity

Present but not the main focus right now:

  • network restriction plumbing and proxy infrastructure

If your question is "is this useful right now?", the answer is yes for filesystem-confining evaluator/tool subprocesses on macOS and Linux.

What It Is Good For

  • sleepy evaluator subprocesses
  • gollem tool or shell subprocesses
  • local agent workers that should only mutate files inside a project root
  • benchmarks, tests, codegen, and mutation loops

What It Is Not

  • a full desktop isolation story
  • a VM or container replacement
  • a Windows sandbox

Quick Start

macOS requirements:

  • built-in /usr/bin/sandbox-exec

Linux requirements:

  • bwrap
  • socat

Example CLI invocation:

go run ./cmd/srt -settings examples/filesystem-only.json -c "printf ok > ./out.txt"

Example Go usage:

package main

import (
	"os/exec"

	srt "github.com/fugue-labs/bwrap-go"
)

func main() {
	cfg := srt.SandboxRuntimeConfig{
		Filesystem: srt.FilesystemConfig{
			AllowWrite: []string{"."},
		},
	}

	manager := srt.NewManager()
	if err := manager.Initialize(cfg, nil); err != nil {
		panic(err)
	}
	defer manager.Reset()

	wrapped, err := manager.WrapWithSandbox("go test ./...", "", nil)
	if err != nil {
		panic(err)
	}

	cmd := exec.Command("/bin/sh", "-c", wrapped)
	cmd.Stdout = nil
	cmd.Stderr = nil
	if err := cmd.Run(); err != nil {
		panic(err)
	}
	manager.CleanupAfterCommand()
}

How To Read The Project

Start here:

Key API surface:

Platform backends:

Verification

This has been exercised in both supported environments:

  • real Seatbelt execution on macOS via sandbox-exec
  • real bubblewrap execution on Linux via Docker

That means the current claim is concrete: macOS and Linux filesystem sandboxing work. Windows does not exist. Network isolation is not the focus of the current integration work.

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v0.1.0 Latest
Apr 11, 2026

Packages

 
 
 

Contributors

Languages