Sandboxing

Sandboxing

Cody CLI can run tool calls (bash commands, file writes) in a sandboxed environment to limit the blast radius of unintended actions.

Enabling Sandboxing

Set in settings.json:

{
  "sandboxing": {
    "enabled": true,
    "allowedPaths": ["./src", "./tests"],
    "allowNetwork": false
  }
}

Sandbox Modes

Path restrictions — Limit file read/write to specific directories.
Network isolation — Block outbound network calls from bash tools.
Read-only mode — Allow reads but block all writes.

Per-Tool Configuration

Configure sandbox rules per tool type:

{
  "sandboxing": {
    "tools": {
      "Bash": { "allowNetwork": false },
      "FileWrite": { "allowedPaths": ["./src"] }
    }
  }
}

⚠️Sandboxing is not a security boundary

Sandboxing is a best-effort safety layer. For untrusted code execution, use a proper container or VM.