Sandbox reference
Last validated:
The Aperture chat sandbox gives the AI assistant an isolated Linux VM for each conversation. The assistant uses five tools to run commands, read files, create files, edit files, and share output files with users. The VM persists across tool calls within a conversation and has restricted, allowlisted internet access.
This topic documents tool parameters, file system layout, size limits, supported file types, and error messages. For a conceptual overview of the sandbox feature, refer to the chat sandbox feature guide. For troubleshooting sandbox issues, refer to troubleshoot sandbox issues. For operational tasks such as monitoring, refer to manage sandbox operations.
Tools
The sandbox exposes five tools to the AI assistant. Tool names appear in the chat interface when the assistant invokes them.
bash
Execute a shell command in the sandbox VM.
| Parameter | Type | Required | Description |
|---|---|---|---|
command | string | Yes | The shell command to execute |
timeout | integer | No | Maximum execution time in seconds. Default: 600 (10 minutes) |
The working directory is /home/aperture. The default timeout is 10 minutes. If timeout is provided and greater than zero, it overrides the default. The bash tool applies the supplied value without an upper-bound clamp, but the enclosing assistant turn is itself bounded at 10 minutes. A per-call timeout greater than 600 seconds therefore does not extend execution beyond the turn deadline, so the effective maximum is 10 minutes.
Output format:
- Exit code 0 with output: The raw command output
- Exit code 0 with no output:
Exit code: 0 (no output) - Non-zero exit code:
Exit code: {code}followed by the output
Command output is truncated at 1 MiB (1,048,576 bytes) with a notice appended if exceeded. Output that exceeds this cap can be redirected to a file and read in sections with view.
view
View text files, images, and directory listings in the sandbox VM.
| Parameter | Type | Required | Description |
|---|---|---|---|
path | string | Yes | Absolute path to a file or directory |
view_range | array of 2 integers | No | [start_line, end_line], 1-indexed. Use -1 for end_line to read to end of file |
The timeout is 30 seconds. Output is truncated at 16,000 bytes with a notice appended if exceeded.
Behavior varies by target:
- Directory: Lists files up to 2 levels deep, ignoring hidden items and
node_modules/, capped at 200 entries. - Image file (
.jpg,.jpeg,.png,.gif,.webp,.svg,.bmp,.ico): Returns metadata in the format[Image: {filename}, {size} bytes]. Theviewtool describes images by name and size rather than rendering them, so its image set differs from the chat preview: it does not include.avif, and it treats.svgas an image rather than a separate script-safe kind. - Text file: Displays numbered lines. If
view_rangeis provided, only the specified line range is shown.start_lineis clamped to a minimum of 1. Ifend_lineis-1, the view extends to the end of the file.
create_file
Create a new file with content in the sandbox VM.
| Parameter | Type | Required | Description |
|---|---|---|---|
path | string | Yes | Path to the file to create |
file_text | string | Yes | Content to write to the file |
The timeout is 30 seconds. Parent directories are created automatically. On success, returns Created {path} ({n} bytes) where n is the byte length of file_text.
str_replace
Replace a unique string in a file.
| Parameter | Type | Required | Description |
|---|---|---|---|
path | string | Yes | Path to the file to edit |
old_str | string | Yes | String to replace (must appear exactly once in the file) |
new_str | string | No | Replacement string. Omit or leave empty to delete the match |
The timeout is 30 seconds. The old_str value must match the raw file content exactly and appear exactly once. If the string is not found, the tool returns an error. If it appears more than once, the tool returns an error indicating how many times it was found. On success, returns Replaced in {path}.
present_files
Make files visible to the user for viewing and downloading in the chat interface.
| Parameter | Type | Required | Description |
|---|---|---|---|
paths | array of strings | Yes | Absolute paths under /mnt/workspace/outputs/ to present. The first path is the most relevant file for the user |
The timeout is 30 seconds for the entire call. A maximum of 20 paths can be presented per call. Each path must be an absolute path under /mnt/workspace/outputs/ with no .. segments.
The tool does not execute commands in the sandbox. Instead, it checks each file's existence and metadata, then returns a JSON result with download URLs for each file. The chat interface renders these as downloadable file attachments.
File system layout
The sandbox VM uses three directories:
/home/aperture/ # Working directory (assistant's scratch space)
/mnt/workspace/
uploads/ # User-uploaded files (read-only)
outputs/ # Output files (downloadable by user)
/home/aperture/ is the default working directory for all tool commands. The assistant uses this for intermediate work such as scripts, temporary data, and build artifacts. Files in this directory are not visible to users, and they are not preserved when the sandbox is idle-terminated -- only uploaded files and presented output files persist across an idle cycle.
/mnt/workspace/uploads/ contains files that users attach to the conversation. This directory is read-only in the sandbox. To modify an uploaded file, the assistant must copy it to /home/aperture/ first.
/mnt/workspace/outputs/ is where the assistant places final deliverables. Only files in this directory can be presented to users through present_files and downloaded through the chat interface. The present_files tool only accepts paths under this directory.
Size limits and quotas
| Limit | Value | Behavior when exceeded |
|---|---|---|
| File upload size | 25 MB per file | Upload rejected |
| Conversation storage | 5 GiB combined uploads and outputs | All tool calls fail until files are removed |
| Command output | 1 MiB (1,048,576 bytes) | Output truncated with notice |
| File view output | 16,000 bytes | Output truncated with notice |
| Command timeout (bash) | 10 minutes (default, though longer per-call values are capped by the 10-minute turn deadline) | Command terminated |
| Other tool timeout | 30 seconds | Tool call fails |
Files per present_files call | 20 | Error returned |
| Directory listing | 200 entries | Listing truncated |
The conversation storage limit is the combined size of all uploaded files and output files for a single conversation. When this limit is exceeded, all sandbox tool calls (bash, view, create_file, str_replace) fail with an error until files are removed. Starting a new conversation resets the storage.
Supported file types for preview
When the assistant presents output files, the chat interface renders them according to their file type:
| File type | Extensions | Preview behavior |
|---|---|---|
| Images | .png, .jpg, .jpeg, .gif, .webp, .bmp, .ico, .avif | Inline image |
| SVG | .svg | Inline image (handled as a separate kind for script safety) |
.pdf | Inline PDF viewer | |
| HTML | .html, .htm | Sandboxed inline preview (no external resources) |
| Markdown | .md | Rendered inline |
| Text and code | .txt, .py, .js, .jsx, .ts, .tsx, .go, .csv, .json, .yaml, and similar | Syntax-highlighted with line numbers |
| Video | .mp4, .webm, .mov, .m4v, .mkv, .avi | Inline playback |
| Audio | .mp3, .wav, .ogg, .flac, .m4a, .aac, .opus | Inline playback |
| All other types | Any | Download only |
Source files such as .jsx, .tsx, and .mermaid are shown as syntax-highlighted text. The chat interface does not execute React components or render Mermaid diagrams.
HTML files are served with a restrictive Content-Security-Policy that prevents loading external resources. Inline scripts and styles are permitted, but the page runs in a sandboxed iframe with an opaque origin. This means HTML output files cannot fetch data from external URLs or load external scripts. Because the iframe omits allow-same-origin, the page runs with a null origin and cannot read or write localStorage or sessionStorage, or reach the parent page's cookies, storage, or DOM.
Error messages
The following table lists user-visible error messages that may appear in the chat interface or as tool results:
| Error message | Cause | Resolution |
|---|---|---|
This conversation's attached files exceed the sandbox capacity (5 GiB combined). Archive or remove some files and try again. | Combined uploads and outputs exceed 5 GiB | Start a new conversation or remove files |
... output truncated (exceeded 1 MiB) ... | Command produced more than 1 MiB of output | Redirect output to a file, then view specific sections |
... output truncated ... | File view produced more than 16,000 bytes of output | Use view_range to read a specific line range |
Error: string not found in {path} | The old_str text was not found in the file | The assistant re-reads the file and retries with the correct text |
Error: string appears N times in {path} (must be unique) | The old_str text appears more than once in the file | The assistant uses more surrounding context to make the match unique |
too many paths (max 20, got N) | More than 20 paths passed to present_files | The assistant splits the files across multiple calls |
path must be absolute and under /mnt/workspace/outputs/ | A present_files path is not under the outputs directory | The assistant moves the file to /mnt/workspace/outputs/ first |
file not found | A file passed to present_files does not exist at the specified path | The assistant creates the file before presenting it |
command is required | The bash tool was called without a command | The assistant retries with a command |
Exit code: N (followed by output) | A shell command exited with a non-zero status | The assistant reads the error output and adjusts its approach |
These errors appear as tool results in the chat. In most cases the assistant handles them automatically by retrying or adjusting its approach. If the assistant cannot resolve an error, it explains the issue in its response.
For admin-facing errors (HTTP status codes from the download endpoint, sandbox connectivity issues), refer to troubleshoot sandbox issues.
Configuration
The sandbox is available wherever the chat UI is, which is on by default. To remove access, set enable_chat_ui to false in a grant:
| Setting | Type | Description |
|---|---|---|
enable_chat_ui grant | Grant | Optional. Chat access is on by default. Set to false in a grant to remove chat access, which also removes the sandbox tools. |
Tailscale provisions and manages the underlying sandbox infrastructure for your instance.
For step-by-step instructions on enabling the sandbox, refer to the chat sandbox setup topic.