Trybox is designed for debugging real failures without turning a developer's host into the execution environment.
- No SSH agent forwarding.
- No host home-directory mount.
- No environment variable forwarding except explicit future allowlists.
- Tart runs with clipboard sharing disabled.
- Source access is limited to the current checkout path.
- Imported command execution must be planned before it is run.
The macOS MVP connects to local, disposable checkout VMs and currently disables
SSH host-key verification for guest command execution and rsync. That keeps the
first Tart flow simple, but it is a deliberate local-VM tradeoff rather than a
general remote-execution model. Before Trybox-managed target images carry
non-public credentials or run outside a local VM boundary, Trybox should pin the
guest host key on first contact under ~/.trybox/keys/<vm-id>/known_hosts
and use that file for both SSH and rsync.
The first problem is native macOS debugging for large source trees in a clean machine. A process sandbox cannot reproduce OS version, GUI behavior, screen capture, permissions, framework behavior, or Apple Silicon VM quirks. Tart provides the machine boundary and lifecycle. Trybox provides the source-aware workflow on top.
Trybox does not currently provide a cloud trust boundary, a remote secrets boundary, or a process-level sandbox. Those are deferred product areas, not hidden guarantees.
sandbox-exec is Apple’s legacy command-line entry point to the macOS
Seatbelt/App Sandbox policy engine. It constrains one process tree through an
SBPL policy while it still runs on the host OS and host kernel. It does not
provide a clean OS install, VM snapshots, guest filesystem state, Xcode state,
or machine-level isolation.
The local macOS man pages mark sandbox-exec and related sandbox_init(3)
policies as deprecated. Trybox must not require sandbox-exec for core
execution.
Permitted future use:
- Optional host-side defense in depth for narrow helper commands.
- Best-effort artifact/log parsing wrappers.
- Capability-detected, off by default, logged, and bypassable.
Not permitted as a core design:
- Replacing Tart VM isolation.
- Running source builds directly on the host as the main workflow.
- Depending on undocumented SBPL behavior for security or correctness.