Jail mode

Confine the agent's tools to the current directory.

Jail mode locks the agent's tools to a sandbox rooted at the working directory shown in the status bar. Toggle it with /jail and lift it again with /unjail. While active, the status bar shows jailed, ~/your/cwd. It is a guardrail against accidents, a speed bump for the model, not a hard security boundary.

Jail new sessions by default

Enable jail new sessions by default in /settings to start every new agent with jail mode active. It is off by default and applies to interactive, print, JSON, RPC, and background-agent runs. The preference is stored as jail_by_default in $ZOT_HOME/config.json.

Changing the setting also locks or unlocks the current interactive session immediately. /jail and /unjail remain session-scoped overrides, so they do not change the saved default. For example, /unjail unlocks the current session while the next session still starts jailed.

What it enforces

The file tools resolve their target path (following symlinks) and refuse anything outside the sandbox root:

  • read, write, and edit only touch paths inside the sandbox root.
  • Symlinks that point outside the root are rejected, including for files that do not exist yet.
  • bash rejects obvious escape patterns rather than running them.

Bash guardrails

While jailed, bash refuses commands that contain destructive or escalating patterns, and refuses a leading cd that tries to leave the root:

  • rm -rf /, rm -rf ~, rm -rf $HOME
  • sudo, su
  • chmod -R, chown -R
  • mkfs, dd if=, dd of=/
  • leading cd /, cd ~, cd $HOME, cd ..

Not a security boundary

The bash checks are heuristics on the command string, not a real sandbox. A determined command can still escape. For true isolation, run zot under Docker or a proper OS sandbox. Use /unjail to disable jail mode when you need to reach outside the directory.