Jail mode

Confine the agent's tools to the current directory.

Jail mode locks the agent's tools to a sandbox rooted at the working directory shown in the status bar. Toggle it with /jail and lift it again with /unjail. While active, the status bar shows jailed, ~/your/cwd. It is a guardrail against accidents, a speed bump for the model, not a hard security boundary.

What it enforces

The file tools resolve their target path (following symlinks) and refuse anything outside the sandbox root:

read, write, and edit only touch paths inside the sandbox root.
Symlinks that point outside the root are rejected, including for files that do not exist yet.
bash rejects obvious escape patterns rather than running them.

Bash guardrails

While jailed, bash refuses commands that contain destructive or escalating patterns, and refuses a leading cd that tries to leave the root:

rm -rf /, rm -rf ~, rm -rf $HOME
sudo, su
chmod -R, chown -R
mkfs, dd if=, dd of=/
leading cd /, cd ~, cd $HOME, cd ..

Not a security boundary

The bash checks are heuristics on the command string, not a real sandbox. A determined command can still escape. For true isolation, run zot under Docker or a proper OS sandbox. Use /unjail to disable jail mode when you need to reach outside the directory.