Introducing Process Sandboxing for mise exec and mise run

[jdx]

We now have process sandboxing for mise exec and mise run — a lightweight way to restrict what your tasks and scripts can access, with no Docker required and minimal overhead.

This feature shipped in v2026.4.2 (with a build fix in v2026.4.3) and is available now as an experimental feature.

What is it?

Process sandboxing lets you lock down filesystem reads/writes, network access, and environment variable inheritance for any command run through mise x or mise run. It uses native OS primitives — no containers, no VMs, no extra dependencies.

• Linux: Landlock for filesystem restrictions (kernel 5.13+) and seccomp-bpf for network filtering
• macOS: Apple's sandbox-exec (Seatbelt) with generated profiles, including per-host network filtering

Quick Start

Enable experimental mode, then use --deny-* and --allow-* flags:

mise settings experimental=true

# Full lockdown — no writes, no network, no env vars
mise x --deny-all -- node script.js

# Block network only
mise x --deny-net -- npm run build

# Block writes except to ./dist
mise x --allow-write=./dist -- npm run build

# Fine-grained control
mise x --deny-all --allow-read=. --allow-write=./dist --allow-net=registry.npmjs.org -- npm install

Task-Level Sandboxing

You can declare sandbox permissions directly in your mise.toml tasks:

[tasks.build]
run = "npm run build"
deny_net = true
allow_write = ["./dist"]

[tasks.lint]
run = "eslint ."
deny_all = true
allow_read = ["."]

[tasks.install]
run = "npm install"
deny_all = true
allow_read = ["."]
allow_write = ["./node_modules"]
allow_net = ["registry.npmjs.org"]

CLI flags override task-level config, so you can tighten or loosen restrictions on the fly.

Using Sandboxing with Claude Code

Sandboxing pairs well with Claude Code for restricting what AI-generated commands can do. You can define sandboxed tasks in your mise.toml that Claude Code executes, or use Claude Code's hooks to wrap mise run invocations with sandbox flags:

# Example: a sandboxed build task that Claude Code can safely invoke
[tasks.build]
run = "npm run build"
deny_net = true
deny_read = true
allow_read = ["./src", "./node_modules"]
allow_write = ["./dist"]

This gives you confidence that even if an AI agent runs a build or script, it can't make unexpected network calls or write outside designated directories.

CLI Flags

Flag	Description
--deny-all	Block reads, writes, network, and env vars
--deny-read	Block filesystem reads (system libs and tool dirs still accessible)
--deny-write	Block all filesystem writes (except /tmp)
--deny-net	Block all network access
--deny-env	Block env var inheritance (only PATH, HOME, USER, SHELL, TERM, LANG pass through)
--allow-read=<path>	Allow reads from specific path
--allow-write=<path>	Allow writes to specific path
--allow-net=<host>	Allow network to specific host (macOS only in v1)
--allow-env=<var>	Allow specific env var through

Smart Defaults

When filesystem restrictions are active, mise automatically keeps essential paths accessible so your tools still work:

• System libraries (/usr, /lib, /bin, etc.) remain readable
• Mise tool installations (~/.local/share/mise/installs/...) remain readable
• /tmp remains writable
• --allow-write paths are implicitly readable

Platform Support

Feature	Linux	macOS
Deny/allow reads	Landlock	Seatbelt
Deny/allow writes	Landlock	Seatbelt
Deny all network	seccomp	Seatbelt
Per-host network (--allow-net=<host>)	Not yet	Seatbelt
Env filtering	Built-in	Built-in
Docker support	Yes	N/A

On older Linux kernels without Landlock support, a warning is printed and the command runs unsandboxed. Windows is not currently supported.

Use Cases

• Run untrusted scripts without worrying about filesystem damage
• Build with network isolation to ensure reproducible offline builds
• Lock down CI tasks to prevent accidental writes outside expected directories
• Enforce least-privilege for tools that don't need broad access
• Sandbox AI agent commands to limit what Claude Code or other agents can do when executing tasks

Documentation: Sandboxing Guide

PR: #8845

---

This post was generated by Claude Code.

[RooTooRD]

Cool