Manage sandbox operations
Last validated:
The chat sandbox gives each conversation an isolated cloud environment where the assistant can run code, create files, and produce downloadable artifacts. Tailscale provisions and manages the infrastructure that runs the sandbox. This topic explains the security properties you can rely on and how to turn the feature on or off.
Monitoring and health
Tailscale monitors the health of the sandbox infrastructure that runs your instance, including connectivity, file handling, and cleanup. You do not need to watch logs or metrics for these systems.
If the sandbox stops responding, returns repeated errors, or storage usage appears incorrect, contact Tailscale support. For symptom-by-symptom guidance, refer to troubleshoot sandbox issues.
Turn the sandbox on or off
The chat_sandbox feature flag controls whether sandbox tools are available to users. The flag is hidden by default. To reveal it, press Shift+F. Toggling this flag takes effect immediately, with no restart required.
- Disabling the flag hides sandbox tools from users. In-flight tool executions complete, but no new tool calls are accepted.
- Re-enabling the flag restores sandbox tools immediately.
For step-by-step instructions, refer to enable the chat sandbox.
Tailscale handles upgrades to the underlying sandbox infrastructure, and they require no action on your part. In-flight file uploads complete independently across infrastructure maintenance.
Security considerations
Each conversation gets its own isolated sandbox. The following properties hold:
- Conversations cannot access each other's files or state.
- File downloads require conversation ownership. Users can only download files from their own conversations.
- Sandboxes have outbound-only internet access, restricted to an allowlist of package and source hosts, and cannot reach Aperture's internal infrastructure.
- HTML preview files cannot load external resources or run scripts in your session, and cannot reach parent-page cookies or storage.
- Uploaded files are encrypted at rest and integrity-verified after upload.
The sandbox reaches the internet only through an outbound proxy restricted to approved package registries and source hosts. This greatly limits the ability to transmit data out of the sandbox, but does not eliminate it. Some allowlisted hosts can receive arbitrary content. Avoid placing highly sensitive data in a sandbox conversation.
Operational parameters reference
| Parameter | Value | Description |
|---|---|---|
| Upload size limit | 25 MB | Maximum size of a single user file upload |
| Conversation storage limit | 5 GiB | Maximum combined uploads and outputs per conversation |
Related
- Aperture chat sandbox for a conceptual overview of the feature.
- Enable the chat sandbox for step-by-step setup instructions.
- Sandbox reference for tool parameters, size limits, timeouts, and error messages.
- Troubleshoot sandbox issues for diagnosing common problems.