Sandbox

Lukan supports OS-level sandboxing using bwrap (bubblewrap) to restrict what the agent’s tools can access on your system.

Setup

lukan sandbox setup              # Install and configure bwrap
lukan sandbox on                 # Enable sandboxing

Commands

lukan sandbox status             # Show current sandbox status
lukan sandbox on                 # Enable sandbox
lukan sandbox off                # Disable sandbox
lukan sandbox setup              # Install and configure bwrap
lukan sandbox uninstall          # Remove sandbox configuration

How It Works

When enabled, tool execution (especially Bash commands) runs inside a bubblewrap sandbox that:

Restricts filesystem access to allowed paths
Limits network access based on configuration
Isolates processes from the host system

When to Use

Running untrusted code or commands
Working with third-party tools
Environments where security isolation is required
Multi-tenant or shared machine setups

Sandboxing requires bwrap to be installed on your system. The lukan sandbox setup command handles installation.

CLI

Configuration

Extensions

Advanced

Setup

Commands

How It Works

When to Use

CLI

Configuration

Extensions

Advanced

​Setup

​Commands

​How It Works

​When to Use

Setup

Commands

How It Works

When to Use