cplt — Your AI agent is sandboxed.Kernel-level isolation for AI coding agents. Your secrets stay secret — enforced by the OS, not by trust.

brew install navikt/tap/cpltcurl -fsSL https://raw.githubusercontent.com/navikt/cplt/main/install.sh | bashmacOS (Apple Seatbelt) · Linux (Landlock + seccomp-BPF)
What your agent can and cannot access — enforced at the kernel level.
Resource
Without cplt
With cplt
Project directory (read/write)
Allowed
Allowed
Secrets (.env*, .pem, .key, SSH keys)
Exposed
Protected
Credentials (~/.aws, ~/.azure, ~/.m2, ~/.gradle, ~/.cargo)
Exposed
Protected
Git hooks, /tmp execution, SSH agent
Exposed
Protected
Outbound network (HTTPS)
Exposed
Filtered*
Private IPs and localhost
Exposed
Protected
Destructive git/gh commands (push, merge, delete)
Exposed
Protected
Copilot auth and tool caches (read-only)
Allowed
Allowed
*Routed through CONNECT proxy — telemetry and non-allowlisted domains are blocked.
All blocks are enforced by the operating system kernel. No userspace bypass is possible.
Four layers of kernel-enforced protection — no userspace bypass possible.
Filesystem Isolation
Kernel-level blocks on secrets, credentials, keys, and .env files. Your ~/.ssh, ~/.aws, and registry credentials are invisible to the agent.
Network Control
CONNECT proxy intercepts all outbound traffic. Blocklist or allowlist mode, private IP protection, full audit logging.
Environment Hardening
npm lifecycle scripts disabled, safe env var allowlist, git hooks write-protected, no exec from /tmp.
Multi-platform Enforcement
Same policy on macOS (Seatbelt) and Linux (Landlock + seccomp-BPF). Kernel-enforced — no userspace bypass.
All outbound traffic routes through a local CONNECT proxy. Block, allow, or audit — your choice.
Block destructive GitHub and git operations. The agent can commit and branch — but not push to main or merge PRs.
Default-deny engine classifying 150+ gh commands.
Read
gh issue list, gh pr view
Write
gh pr create, gh issue edit
Destructive
gh repo delete, gh pr merge
gh api calls restricted to /repos/{current-repo}/...
Blocks push, request-pull, and send-pack. Commit, branch, rebase — all fine.
Feature branches only? cplt config set git_guard.protect_default_branch_only true
$ cplt config set gh_guard.enabled true $ cplt config set git_guard.enabled true
⛔ sandbox restriction: `gh pr merge` is not allowed. This command is classified as destructive and blocked by gh guard. Please note this for the human operator and continue with your remaining work.
Start with --gh-guard --git-guard flags for a single run, or mode: audit to observe before enforcing.
Same sandbox, different agents. Choose the AI that fits your workflow.
Default. Runs Copilot CLI in sandbox with full filesystem and network isolation.
cplt -- -p "fix the tests"Runs OpenCode in sandbox. Same kernel-level protections, different AI agent.
cplt --agent opencodeA sandboxed shell with no AI. Useful for testing what the sandbox allows and blocks.
cplt --agent shellCommit sandbox settings to your repo. Everyone gets the right config automatically.
# Tighten automatically — no approval needed [deny] env = ["VAULT_TOKEN", "NPM_TOKEN"] # Propose — requires `cplt trust` approval [propose] allow_localhost_any = true [propose.allow] ports = [5432] localhost = [3000]
[deny] — auto-applied
Can only tighten the sandbox. Block env vars, deny file paths — no approval needed.
[propose] — requires approval
Request additional permissions. Each developer approves with cplt trust accept --all. Content-pinned — any change invalidates the approval.
Tamper-proof
Read from git HEAD, not the working tree. The agent cannot modify its own sandbox config.
cplt init scans your project for build files, frameworks, and patterns — then generates the right .cplt.toml automatically.
Detected: Spring Boot application.yml + spring-boot-starter Flyway db/migration/ directory Docker Dockerfile + compose.yml Gradle build.gradle.kts .env .env.example found Generated .cplt.toml: # Deny access to sensitive env vars [deny] env = ["DB_PASSWORD", "API_KEY"] [propose] allow_jvm_attach = true [propose.allow] ports = [5432] localhost = [8080] ⚠ allow_docker Docker detected — grants broad access Run cplt init --write to save
15 ecosystem detectors
Each detector knows which sandbox permissions the ecosystem needs. Dangerous permissions get risk warnings.
Personal config with --global
Detects Gradle wrapper, Playwright browsers, GPG signing, and alternative agents on your machine. Writes to ~/.config/cplt/config.toml.
Every option explained. Search by name or description.
Type to search or select a section to browse 42 config options.
Three steps from zero to sandboxed agent.
STEP 1
brew install navikt/tap/cpltOne command via Homebrew (macOS). Linux: see install script.
STEP 2
cplt init --writeDetect your project's tooling and generate sandbox config.
STEP 3
cplt -- -p "fix the tests"Your agent works normally — but secrets are invisible.
Run cplt --shell-install so copilot always runs sandboxed.
✓ Added to ~/.zshrc ✓ copilot → cplt (sandboxed) Restart your shell or: source ~/.zshrc