Policy
Approvals + Sandbox: Practical Policy Baseline
Use policy controls to gate risky commands and keep local runtime safety predictable.
Step 1: Inspect current policy state
mosaic --project-state approvals get
mosaic --project-state sandbox get
mosaic --project-state safety getStep 2: Set approvals mode
mosaic --project-state approvals set confirm
mosaic --project-state approvals get
# stricter mode
mosaic --project-state approvals set deny
# controlled automation mode
mosaic --project-state approvals set allowlistStep 3: Manage allowlist prefixes
mosaic --project-state approvals allowlist add "git status"
mosaic --project-state approvals allowlist add "git diff"
mosaic --project-state approvals allowlist list
mosaic --project-state approvals allowlist remove "git diff"Step 4: Check command-level approval decision
mosaic --project-state approvals check --command "git status"
mosaic --project-state approvals check --command "rm -rf /tmp/x"Step 5: Set and explain sandbox profile
mosaic --project-state sandbox list
mosaic --project-state sandbox set standard
mosaic --project-state sandbox explain --profile restricted
mosaic --project-state sandbox explain --profile elevatedStep 6: Check command-level sandbox decision
mosaic --project-state sandbox check --command "git status"
mosaic --project-state sandbox check --command "curl https://example.com"Step 7: Validate merged safety decision
mosaic --project-state safety check --command "git status"
mosaic --project-state safety check --command "curl https://example.com"
mosaic --project-state safety report --audit-tail 50 --compare-window 24hStep 8: Team baseline recommendation
- Default baseline:
approvals=confirm+sandbox=standard. - Use
allowlistonly for explicit CI automation prefixes. - Run
doctorandsafety reportin release checks.