jdx · jdx · Apr 2, 2026 · Apr 2, 2026 · Apr 2, 2026 · Apr 2, 2026
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -92,6 +92,31 @@ jobs:
       - uses: ./.github/actions/mise-tools
       - run: mise x -- cargo test --all-features
 
+  macos-e2e:
+    runs-on: macos-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.head_ref }}
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2
+        with:
+          shared-key: build
+          save-if: false
+      - name: Install fd
+        run: brew install fd
+      - run: |
+          cargo build --all-features
+          echo "$PWD/target/debug" >> "$GITHUB_PATH"
+      - uses: ./.github/actions/mise-tools
+      - name: Run sandbox e2e tests
+        run: |
+          for test in e2e/sandbox/test_sandbox_*; do
+            echo "Running $test..."
+            ./e2e/run_test "$test"
+          done
+
   nightly:
     runs-on: ubuntu-latest
     timeout-minutes: 10
@@ -249,6 +274,7 @@ jobs:
       - build-ubuntu
       - build-windows
       - unit
+      - macos-e2e
       - nightly
       - lint
       - coverage
@@ -270,6 +296,10 @@ jobs:
             echo "unit failed or was skipped"
             exit 1
           fi
+          if [ "${{ needs.macos-e2e.result }}" != "success" ]; then
+            echo "macos-e2e failed or was skipped"
+            exit 1
+          fi
           if [ "${{ needs.nightly.result }}" != "success" ]; then
             echo "nightly failed or was skipped"
             exit 1

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -204,6 +204,10 @@ zstd = "0.13"
 [target.'cfg(unix)'.dependencies]
 exec = "0.3"
 nix = { version = "0.30", features = ["signal", "term", "user"] }
+
+[target.'cfg(target_os = "linux")'.dependencies]
+landlock = "0.4"
+seccompiler = "0.5"
 self_update = { version = "0.42", optional = true, default-features = false, features = [
   "archive-tar",
   "compression-flate2",

diff --git a/docs/.vitepress/config.ts b/docs/.vitepress/config.ts
@@ -147,6 +147,7 @@ export default withMermaid(
             { text: "Task Configuration", link: "/tasks/task-configuration" },
             { text: "Task Templates", link: "/tasks/templates" },
             { text: "Monorepo Tasks", link: "/tasks/monorepo" },
+            { text: "Sandboxing", link: "/sandboxing" },
           ],
         },
         {