A Lakkireddy Labs tool · Open source

Cato.

A boundary for AI agents.

A portable sandbox. One config defines what an agent can read, write, and reach — the same rules in every environment.

Rust MIT macOS · Linux Research preview
View on GitHub Install
01 — THE PROBLEM

Agents run with your full permissions.

Every file. Every secret. Every endpoint they can reach. Same for build scripts, npm packages, downloaded code.

You either set up Docker (heavy) or trust everything (risky).

02 — ONE FILE

A config defines the boundary.

A .cato.toml in your repo declares what is readable, what is writable, and which network domains are reachable.

03 — ANYWHERE

Same rules, every environment.

Local, CI, container — the .cato.toml follows the repo. There is no "works on my machine" for your security policy.

View on GitHub
without a sandbox · agent can touch
  • ~/.ssh/id_rsaREAD
  • .env, .env.localREAD · WRITE
  • ~/.aws/credentialsREAD
  • any URL on the internetNETWORK
  • your entire $HOMEREAD · WRITE
.cato.toml
# commit to git — same rules everywhere [sandbox]allow_write = ["{workspace}", "/tmp"]deny_read = ["*.env", "*.key", "*.pem"]network = ["github.com", "npmjs.org"]tools = ["node", "git", "npm"]
LOCAL .cato.toml
CI .cato.toml
CONTAINER .cato.toml
Demo

Boundaries, at the OS level.

Reads of denied files fail at the syscall. Network calls outside the allowlist do not leave the process. No daemon. No container. No root.

cato · running agent
Install

A 2 MB binary. Sub-second startup.

macOS 
brew tap harikrishnareddyl/cato
brew install cato
Node 
npm install -g cato-cli
Python 
pip install cato-cli-py
Rust 
cargo install cato-cli
Quick start 
cd my-project
cato init                        # creates .cato.toml
cato tool add node git python3   # register tools
cato run                         # enter sandbox
Try it

Cato.

GitHub ← Back to the lab