bureado · dredozubov · Apr 18, 2026
diff --git a/README.md b/README.md
@@ -58,6 +58,7 @@ Projects using **Linux** security primitives such as bubblewrap, KVM/libkrun, La
 | [shai](https://github.com/colony-2/shai) | containers, Linux namespaces | Agent sandbox using container isolation with a novel [cellular development](https://shai.run/docs/concepts/cellular-development/) model for controlled agent-driven code changes, scoping changes to discrete units. |
 | [Rover Sandbox](https://docs.endor.dev/rover/concepts/sandbox/) | containers | Endor Labs' Rover uses Linux containers to sandbox agent tool execution within its security-focused agent framework. See also the [sandbox implementation code](https://github.com/endorhq/rover/tree/171a5b0eb277f2f1029062167a762a7f14a9b184/packages/cli/src/lib/sandbox). |
 | [Veto (Ona)](https://ona.com/docs/ona/organizations/policies/executable-deny-list) | BPF LSM, content-addressable | Content-addressable kernel enforcement using BPF LSM: blocks executables by SHA-256 hash of binary content (not path), pre-execution with no TOCTOU gap. The [deep dive on agent evasion of path-based controls](https://ona.com/stories/how-claude-code-escapes-its-own-denylist-and-sandbox) is a good read for anyone working with `bubblewrap`. |
+| [Hazmat](https://github.com/dredozubov/hazmat) | macOS, Seatbelt, PF firewall, isolated users, rollback | macOS-native runtime containment for AI agents and coding-agent workflows using isolated macOS users, Seatbelt sandboxing (`sandbox_init` via a privileged helper), PF firewall controls, DNS blocklists, backup/rollback, and a TLA+-checked design (44,795+ states across nine specs covering setup/rollback ordering, seatbelt policy, migration, tier policy equivalence, and helper fd isolation) to reduce host and network blast radius. |
 
 Other tools of potential interest include: