Source

Competitive parity: Claude Code v2.1.77 — per-path allowRead/denyRead rules with carve-outs within broader deny regions.

Gap

Zeph's sandbox controls execution (shell blocked_commands, confirm_patterns) and write access (FileExecutor allowed_paths) but has no path-level read sandboxing. An agent can read any file in CWD (or allowed_paths) including secrets in config files, dotfiles, and credentials.

Zeph applicability

• Add [tools.shell] deny_read = [] and allow_read = [] glob lists evaluated in order (deny-then-allow)
• FileExecutor already has allowed_paths for writes; extend to read_denied_paths and read_allowed_paths
• Relevant to security hardening: prevent accidental exposure of vault key files or .env files
• Implementation sketch: in FileExecutor::read(), check path against ordered deny/allow list before reading