Sandbox & Trust Tiers
TapPass supports two sandbox backends for execution isolation:
| Backend | Engine | Isolation | Policy reload | Best for |
|---|---|---|---|---|
| nono (default) | nono-py | Kernel (Landlock/Seatbelt) | Tighten only (irreversible) | Dev machines, lightweight |
| OpenShell | NVIDIA OpenShell | Container (K3s/Docker) | Hot-reload network/inference | CI/CD, enterprise, multi-agent |
Both backends enforce the same TapPass policy — the CISO picks the backend.
Basic sandbox (nono — default)
Section titled “Basic sandbox (nono — default)”from tappass import Agent
agent = Agent("http://tappass:9620")agent.secure() # locks down the processAfter secure():
- Filesystem: only workspace (read/write), cwd (read-only)
- Credentials:
~/.ssh,~/.aws, etc. are blocked - Commands:
rm,dd,chmod,sudo, etc. are blocked - Network: only localhost (TapPass). external blocked
Trust tiers
Section titled “Trust tiers”Trust tiers provide progressive permissions. New agents start restricted and earn access over time.
agent.secure(tier="worker") # safe commands, workspace onlyagent.secure(tier="standard") # most commands, system readsagent.secure(tier="observer") # read-only, no shell, no network| Tier | Filesystem | Commands | Network | Use case |
|---|---|---|---|---|
| observer | Read workspace only | None | None | Monitoring, read-only analysis |
| worker | Read/write workspace | Safe list only (ls, cat, git, python3, …) | Fetch only (GET) | Code generation, file processing |
| standard | Workspace + system reads | Most commands | Full | General-purpose agents |
| full | Everything (audit only) | Everything | Everything | Trusted agents with high trust scores |
Auto-escalation
Section titled “Auto-escalation”Agents can earn higher tiers based on trust score, clean invocations, and violation history:
from tappass.sandbox import TrustGuardian
guardian = TrustGuardian(tier="worker")result = guardian.evaluate_auto_escalation( trust_score=600, # from TrustEngine (0–1000) clean_invocations=300, # pipeline runs with no violations violations=1, # recent violations)# {'eligible': True, 'recommended_tier': 'standard', ...}| Current | Target | Min score | Min clean | Max violations |
|---|---|---|---|---|
| observer | worker | 300 | 50 | 0 |
| worker | standard | 500 | 200 | 2 |
| standard | full | 800 | 1000 | 0 |
Forbidden zones
Section titled “Forbidden zones”TapPass ships with 74 protected paths across 7 categories that agents must never access:
| Category | Examples | Count |
|---|---|---|
| Credential | ~/.ssh, ~/.gnupg, ~/.git-credentials, ~/.npmrc | 21 |
| Cloud | ~/.aws, ~/.kube, ~/.azure, ~/.config/gcloud | 14 |
| Crypto | ~/.bitcoin, ~/.ethereum, ~/.metamask, wallet.dat | 9 |
| Browser | Chrome/Firefox/Safari login data, cookies, history | 6 |
| Financial | ~/.stripe, .ofx, .qfx, .ach, .mt940 | 14 |
| System | /etc/shadow, /etc/sudoers, SAM database | 6 |
| Agent | ~/.claude, ~/.cursor, ~/.windsurf config | 4 |
Forbidden zones are checked in:
scan_tool_calls: every file operation tool calltappass discover. tool descriptions referencing credential pathstappass assess. host audit of exposed pathsTrustGuardian. all read/write operations
Unicode bypass protection
Section titled “Unicode bypass protection”Forbidden zone checks sanitize paths against evasion techniques:
- Null bytes:
.ss\x00h→.ssh(kernel truncation attack) - Zero-width characters:
.s\u200Bsh→.ssh - Cyrillic/Greek confusables:
.ѕѕh(Cyrillic ѕ) →.ssh
Credential monitor
Section titled “Credential monitor”A background daemon that watches credential paths for unauthorized access:
from tappass.sandbox import CredentialMonitor
monitor = CredentialMonitor( callback=lambda e: print(f"ALERT: {e.path} ({e.event_type})"), interval=5.0, agent_id="agent-1",)monitor.start()# ... agent runs ...monitor.stop()Detection methods:
| Method | Reliability | Description |
|---|---|---|
Modification (st_mtime) | ✅ Always reliable | File content changed |
| Creation | ✅ Always reliable | New file appeared in protected directory |
Read access (st_atime) | ⚠️ Filesystem-dependent | Requires atime mount option (probed at startup) |
Exfiltration blocklist
Section titled “Exfiltration blocklist”60+ known paste services, webhook relays, and tunnel domains:
from tappass.sandbox import get_blocklist
bl = get_blocklist()bl.is_blocked("pastebin.com") # Truebl.is_blocked("evil.ngrok.io") # True (subdomain match)bl.add_domain("custom-bad.com") # runtime additionRuntime additions sync to the KV store: when Redis is configured (TAPPASS_KV_URL=redis:/…), additions propagate across all server workers.
| Category | Domains | Examples |
|---|---|---|
| Paste | 28 | pastebin.com, gist.github.com, transfer.sh, ix.io |
| Webhook | 19 | webhook.site, ngrok.io, pipedream.com, burpcollaborator.net |
| Cloud storage | 11 | s3.amazonaws.com, dropbox.com, mega.nz |
| DNS tunnel | 2 | (dynamic: extend at runtime) |