cachix · LorenzBischof · Mar 15, 2025 · Feb 8, 2026 · Feb 9, 2026
diff --git a/devenv-core/src/config.rs b/devenv-core/src/config.rs
@@ -181,6 +181,9 @@ pub struct Config {
     pub backend: NixBackendType,
     #[setting(nested)]
     #[serde(skip_serializing_if = "Option::is_none", default)]
+    pub sandbox: Option<SandboxConfig>,
+    #[setting(nested)]
+    #[serde(skip_serializing_if = "Option::is_none", default)]
     pub secretspec: Option<SecretspecConfig>,
     #[serde(skip_serializing_if = "Option::is_none", default)]
     #[setting(merge = schematic::merge::replace)]
@@ -201,6 +204,13 @@ pub struct SecretspecConfig {
     pub provider: Option<String>,
 }
 
+#[derive(schematic::Config, Clone, Debug, PartialEq, Eq, Serialize, Deserialize, JsonSchema)]
+pub struct SandboxConfig {
+    #[serde(skip_serializing_if = "is_false", default = "false_default")]
+    #[setting(default = false)]
+    pub enable: bool,
+}
+
 // TODO: https://github.com/moonrepo/schematic/issues/105
 pub async fn write_json_schema() -> Result<()> {
     let schema = schema_for!(Config);

diff --git a/devenv-core/src/nix_args.rs b/devenv-core/src/nix_args.rs
@@ -4,7 +4,7 @@
 //! when assembling the devenv environment. The struct is serialized to Nix syntax
 //! using the `ser_nix` crate and inserted into the flake template.
 
-use crate::config::{Config, NixpkgsConfig};
+use crate::config::{Config, NixpkgsConfig, SandboxConfig};
 use miette::{Result, miette};
 use ser_nix::NixLiteral;
 use serde::Serialize;
@@ -302,6 +302,9 @@ pub struct NixArgs<'a> {
     /// Whether the environment is being assembled for testing
     pub devenv_istesting: bool,
 
+    /// Sandbox configuration
+    pub devenv_sandbox: Option<&'a SandboxConfig>,
+
     /// Latest direnvrc version number available
     pub devenv_direnvrc_latest_version: u8,
 
@@ -386,6 +389,7 @@ mod tests {
             devenv_tmpdir: &tmpdir,
             devenv_runtime: &runtime,
             devenv_istesting: false,
+            devenv_sandbox: None,
             devenv_direnvrc_latest_version: 5,
             container_name,
             active_profiles: &profiles,
@@ -491,6 +495,7 @@ mod tests {
             devenv_tmpdir: &tmpdir,
             devenv_runtime: &runtime,
             devenv_istesting: false,
+            devenv_sandbox: None,
             devenv_direnvrc_latest_version: 5,
             container_name: None,
             active_profiles: &profiles,

diff --git a/devenv-nix-backend/bootstrap/bootstrapLib.nix b/devenv-nix-backend/bootstrap/bootstrapLib.nix
@@ -32,6 +32,7 @@ rec {
     , devenv_tmpdir
     , devenv_runtime
     , devenv_istesting ? false
+    , devenv_sandbox ? null
     , devenv_direnvrc_latest_version
     , container_name ? null
     , active_profiles ? [ ]
@@ -128,6 +129,7 @@ rec {
               _module.args.pkgs = evalPkgs.appendOverlays (config.overlays or [ ]);
               _module.args.secretspec = secretspec;
               _module.args.devenvPrimops = primops;
+              _module.args.devenvSandbox = devenv_sandbox;
             }
           )
           (inputs.devenv.modules + /top-level.nix)

diff --git a/devenv.yaml b/devenv.yaml
@@ -34,3 +34,6 @@ imports:
   - devenv-claude-agents
   - ./docs
   - ./devenv-nix-backend
+
+sandbox:
+  enable: false
diff --git a/devenv/src/devenv.rs b/devenv/src/devenv.rs
@@ -1777,6 +1777,7 @@ impl Devenv {
             devenv_tmpdir: &self.devenv_tmp,
             devenv_runtime: &self.devenv_runtime,
             devenv_istesting: is_testing,
+            devenv_sandbox: config.sandbox.as_ref(),
             devenv_direnvrc_latest_version: *DIRENVRC_VERSION,
             container_name: self.container_name.as_deref(),
             active_profiles: &active_profiles,

diff --git a/docs/src/reference/options.md b/docs/src/reference/options.md
@@ -3025,6 +3025,49 @@ string
 
 
 
+## devenv.sandbox
+
+
+
+Sandbox configuration
+
+
+
+*Type:*
+submodule *(read only)*
+
+
+
+*Default:*
+
+```
+{
+  enable = false;
+}
+```
+
+*Declared by:*
+ - [https://github.com/cachix/devenv/blob/main/src/modules/top-level.nix](https://github.com/cachix/devenv/blob/main/src/modules/top-level.nix)
+
+
+
+## devenv.sandbox.enable
+
+
+
+Enable the sandbox. This option is controlled by the ` sandbox.enable ` setting
+in devenv.yaml and cannot be overridden in devenv.nix.
+
+
+
+*Type:*
+boolean *(read only)*
+
+*Declared by:*
+ - [https://github.com/cachix/devenv/blob/main/src/modules/top-level.nix](https://github.com/cachix/devenv/blob/main/src/modules/top-level.nix)
+
+
+
 ## devenv.warnOnNewVersion
 
 
@@ -5369,8 +5412,6 @@ boolean
 
 ## git-hooks.hooks.black
 
-
-
 black hook
 
 
@@ -5385,6 +5426,8 @@ submodule
 
 ## git-hooks.hooks.black.enable
 
+
+
 Whether to enable this pre-commit hook.
 
 
@@ -7437,8 +7480,6 @@ boolean
 
 ## git-hooks.hooks.headache.description
 
-
-
 Description of the hook. Used for metadata purposes only.
 
 
@@ -7458,6 +7499,8 @@ string
 
 ## git-hooks.hooks.headache.settings.header-file
 
+
+
 Path to the header file.