A tool, a guardrail, a compliance check, an evaluator. Drops into any workspace in any runtime. The smallest unit of capability you can buy.
Filter by category. Click a card to see permissions, supported runtimes, changelog, and full description.
Refuses rm -rf, chmod 777, fork bombs, and 60+ destructive shell patterns. Hard block, no override.
Lock workspace filesystem access to declared paths. Anything outside throws EACCES at the runtime layer.