Jail mode
Confine the agent's tools to the current directory.
Jail mode locks the agent's tools to a sandbox rooted at the working directory shown in the status bar. Toggle it with /jail and lift it again with /unjail. While active, the status bar shows jailed, ~/your/cwd. It is a guardrail against accidents, a speed bump for the model, not a hard security boundary.
Jail new sessions by default
Enable jail new sessions by default in /settings to start every new agent with jail mode active. It is off by default and applies to interactive, print, JSON, RPC, and background-agent runs. The preference is stored as jail_by_default in $ZOT_HOME/config.json.
Changing the setting also locks or unlocks the current interactive session immediately. /jail and /unjail remain session-scoped overrides, so they do not change the saved default. For example, /unjail unlocks the current session while the next session still starts jailed.
What it enforces
The file tools resolve their target path (following symlinks) and refuse anything outside the sandbox root:
- read, write, and edit only touch paths inside the sandbox root.
- Symlinks that point outside the root are rejected, including for files that do not exist yet.
- bash rejects obvious escape patterns rather than running them.
Bash guardrails
While jailed, bash refuses commands that contain destructive or escalating patterns, and refuses a leading cd that tries to leave the root:
- rm -rf /, rm -rf ~, rm -rf $HOME
- sudo, su
- chmod -R, chown -R
- mkfs, dd if=, dd of=/
- leading cd /, cd ~, cd $HOME, cd ..