cplt — Your AI agent is sandboxed.
Kernel-level isolation for AI coding agents. Your secrets stay secret — enforced by the OS, not by trust.
cplt — sandboxed Copilot session
brew install navikt/tap/cpltcurl -fsSL https://raw.githubusercontent.com/navikt/cplt/main/install.sh | bashmacOS (Apple Seatbelt) · Linux (Landlock + seccomp-BPF)
Security boundary
What your agent can and cannot access — enforced at the kernel level.
Resource
Without cplt
With cplt
Project directory (read/write)
Allowed
Allowed
Secrets (.env*, .pem, .key, SSH keys)
Exposed
Protected
Your agent sees the code, not your secrets.
Four layers of kernel-enforced protection — no userspace bypass possible.
Filesystem Isolation
Kernel-level blocks on secrets, credentials, keys, and .env files. Your ~/.ssh, ~/.aws, and registry credentials are invisible to the agent.
Network Control
CONNECT proxy intercepts all outbound traffic. Blocklist or allowlist mode, private IP protection, full audit logging.
Environment Hardening
npm lifecycle scripts disabled, safe env var allowlist, git hooks write-protected, no exec from /tmp.
Multi-platform Enforcement
Same policy on macOS (Seatbelt) and Linux (Landlock + seccomp-BPF). Kernel-enforced — no userspace bypass.
Network proxy
All outbound traffic routes through a local CONNECT proxy. Block, allow, or audit — your choice.
Multi-agent support
Same sandbox, different agents. Choose the AI that fits your workflow.
GitHub Copilot CLI
Default. Runs Copilot CLI in sandbox with full filesystem and network isolation.
cplt -- -p "fix the tests"OpenCode
Runs OpenCode in sandbox. Same kernel-level protections, different AI agent.
cplt --agent opencodeShell
A sandboxed shell with no AI. Useful for testing what the sandbox allows and blocks.
Team configuration
Commit sandbox settings to your repo. Everyone gets the right config automatically.
.cplt.toml
# Tighten automatically — no approval needed [deny] env = ["VAULT_TOKEN", "NPM_TOKEN"] # Propose — requires `cplt trust` approval [propose] allow_localhost_any = true [propose.allow] ports = [5432] localhost = [3000]
[deny] — auto-applied
Can only tighten the sandbox. Block env vars, deny file paths — no approval needed.
[propose] — requires approval
Request additional permissions. Each developer approves with cplt trust accept --all. Content-pinned — any change invalidates the approval.
Auto-detect your project
cplt init scans your project for build files, frameworks, and patterns — then generates the right .cplt.toml automatically.
$ cplt init
Detected: Spring Boot application.yml + spring-boot-starter Flyway db/migration/ directory Docker Dockerfile + compose.yml Gradle build.gradle.kts .env .env.example found Generated .cplt.toml: # Deny access to sensitive env vars [deny] env = ["DB_PASSWORD", "API_KEY"] [propose] allow_jvm_attach = true [propose.allow] ports = [5432] localhost = [8080] ⚠ allow_docker Docker detected — grants broad access Run cplt init --write to save
15 ecosystem detectors
Each detector knows which sandbox permissions the ecosystem needs. Dangerous permissions get risk warnings.
JVMGradle / Maven
Configuration
Every option explained. Search by name or description.
Type to search or select a section to browse 0 config options.
How it works
Three steps from zero to sandboxed agent.
STEP 1
Install
brew install navikt/tap/cpltOne command via Homebrew (macOS). Linux: see install script.
STEP 2
Configure
cplt init --writeDetect your project's tooling and generate sandbox config.