How SafeClaw Enforces Workspace Boundaries
How SafeClaw Enforces Workspace Boundaries
An AI coding agent should stay in its lane. If you're working on a React project in ~/projects/my-app, the agent has no business reading your SSH keys, browsing your downloads folder, or modifying files in a sibling project. Workspace boundary enforcement is how SafeClaw guarantees that agents operate only where they're supposed to.
Why Boundaries Matter
File system access is the most fundamental capability of a coding agent. Agents read source files to understand context, write files to implement changes, and navigate directory structures to find what they need. This access is powerful and necessary — but it's also the easiest capability to abuse.
Without boundaries, an agent that's compromised, misconfigured, or simply confused can read sensitive files anywhere on your machine. Your .ssh directory, your .aws credentials, your browser profiles, other project directories — everything is fair game.
Operating system permissions don't help here because the agent runs as your user. It has all the same access you do. SafeClaw fills this gap by enforcing a virtual boundary that the operating system doesn't provide.
How It Works
When a SafeClaw session starts, the workspace boundary is established. By default, this is the current working directory and its descendants. You can customize it in your policy configuration to include additional directories or exclude specific subdirectories.
Every file operation that passes through SafeClaw — reads, writes, deletes, directory listings, and more — is checked against the workspace boundary before execution. The check is straightforward in principle but subtle in practice.
Path Canonicalization — The first step is resolving the target path to its canonical form. This means resolving symlinks, expanding~ and environment variables, normalizing . and .. segments, and handling relative paths. An agent that tries to access ./../../etc/passwd must be caught, and that requires understanding what the resolved path actually is.
Symlink Defense — Symlinks are the classic boundary escape. An agent could create a symlink inside the workspace that points outside it, then follow that link. SafeClaw resolves symlinks at check time and validates the resolved target, not just the link path. We also detect and block the creation of symlinks that point outside the workspace.
Race Condition Prevention — There's a time-of-check-to-time-of-use (TOCTOU) risk: the filesystem could change between when SafeClaw checks the path and when the agent actually accesses it. We mitigate this by holding a file descriptor during the check and using it for the actual operation where possible. For operations where this isn't feasible, we perform a post-operation verification.
Configuration
Workspace boundaries are defined per policy profile:
``yaml
workspace:
root: "~/projects/my-app"
include:
- "~/shared-libs"
exclude:
- "~/projects/my-app/secrets"
- "~/projects/my-app/.env*"
`
The
include list adds directories outside the root that the agent is permitted to access. The exclude` list removes directories inside the root that should remain off-limits.
Beyond File Paths
Workspace boundaries in SafeClaw extend beyond just file paths. Network boundaries restrict which hosts the agent can contact. Environment boundaries control which environment variables the agent can read. Process boundaries limit which executables the agent can invoke.
These additional boundaries follow the same enforcement pattern: define the allowed scope, canonicalize the target, check against the boundary, and deny if outside.
Learn More
Workspace boundary enforcement is enabled by default in every SafeClaw installation. Full configuration options and examples are in our documentation. The enforcement logic is open source on GitHub — we encourage security researchers to review and challenge our implementation.
Boundaries are the most basic form of safety. Before you can trust an agent with complex policies and nuanced permissions, you need to know it can't escape its sandbox. That's what workspace enforcement provides.