deadreckon
safety · 07

Isolation & the sandbox

Your checkout is never touched. Work happens in an isolated worktree, inside a platform-native sandbox.

maps to as-built §11§24

two kinds of isolation · where the files live, and where the tools run
Your checkout is never touched; the tools run boxed in The top band shows file isolation: your checkout feeds an isolated worktree on a dr/ branch under ~/.deadreckon/worktrees, and your real branch changes only when you run apply. Four modes select how files are isolated: worktree (the git default), copy from a path, fresh empty directory, and in-place which edits your tree directly and is the dangerous option. The bottom band shows process isolation: the agent's tools run inside a sandbox with four backends: sandbox-exec for macOS Seatbelt, bwrap for Linux Bubblewrap, docker as an opt-in, and none which is unsafe, with auto choosing per platform and the network off by default. WHERE THE FILES LIVE YOUR CHECKOUT never touched until you apply ISOLATED WORKTREE branch dr/<task>-<id> ~/.deadreckon/worktrees/ lands on your branch via `apply` worktree default · git copy --from <path> fresh --fresh · empty in-place --in-place · danger WHERE THE TOOLS RUN THE SANDBOX: edits, shell, tests run here · network off by default auto picks the backend per platform sandbox-exec macOS Seatbelt bwrap Linux Bubblewrap docker opt-in none unsafe no isolation
Two walls, not one: an isolated worktree keeps your files safe, and a platform-native sandbox keeps the tools contained.

deadreckon isolates a run in two different ways at once: it controls where the files live and where the tools run.

Where the files live: the worktree

By default, a run never edits your checkout. In a git repo it creates a fresh worktree on a dr/<task> branch under ~/.deadreckon/worktrees/. Your real branch changes only when you run deadreckon apply. Four modes decide how files are isolated:

  • worktree: the default for clean git repos.
  • copy: seed a working copy from --from <path>, skipping ignored files.
  • fresh: the old empty-directory behavior, behind --fresh.
  • in-place: edit your tree directly; the dangerous option, gated behind an explicit acknowledgement, with undo as the rollback.

Where the tools run: the sandbox

Every tool the agent runs is executed inside a platform-native sandbox, with the network off by default. auto picks the backend for your platform:

  • sandbox-exec: macOS Seatbelt profiles.
  • bwrap: Linux Bubblewrap containers.
  • docker: an opt-in fallback (the route for Windows).
  • none: no isolation at all; deadreckon warns loudly, for local verification only.
source