Native Windows sandbox is live in Zagens v0.7.4 — plus CRAFT and session restore improvements
Hey Product Hunt 👋
Quick update from the Zagens team. v0.7.4 is out, and the headline for Windows users is native OS-level sandboxing — not just a config flag, but real process isolation when agents run shell commands on your machine.
Why this matters
Most desktop agents can run arbitrary commands locally. That’s powerful — and risky. Zagens has always treated exec policy + approval UI as the baseline. With this release, Windows gets the same class of enforcement macOS already had via Seatbelt: restricted tokens, workspace write boundaries, and (in elevated mode) profile read isolation + outbound network blocking.
We’d rather be honest about scope than oversell: Linux OS enforcement is still evolving; on Windows, elevated setup (one-time UAC) unlocks the full sandbox; unelevated fallback still gives workspace write isolation but not full profile read isolation.
What shipped: Windows native sandbox (Phase 2–3)
Elevated mode (recommended): zagens sandbox setup creates dedicated sandbox users, WFP outbound blocks, grant/deny-read ACLs for sensitive profile paths, DPAPI-backed secrets, and full teardown.
Interactive terminal in the sandbox: ConPTY-backed exec_shell (tty: true) runs through an elevated command-runner — so agents can use real shells, not just one-shot commands.
Desktop-first UX: Settings → Sandbox panel + a first-run onboarding wizard so you know whether sandboxing is configured vs actually enforced.
CLI helpers: zagens sandbox add-read-dir, setup/teardown, and G2 acceptance probes (14/14 when setup is complete).
Docs: Sandbox capability matrix
Other improvements in v0.7.4
CRAFT multi-agent: per-role model picks for implementer / verifier / auditor in Settings → Security.
Session restore: clearer restore progress, cache vs replay source, degraded-session warnings, and a Reload action if thread replay fails.
Windows shell reliability: fixed ConPTY deadlocks, spawn CWD issues, background IPC, and process-tree cleanup — long-horizon tasks should fail less on “infra” and more on real code.
Security hardening: MCP stdio registration lockdown, audit deliverable gates, SSRF and prompt-injection fixes from the 0.7.3 line.
What Zagens is (if you’re new here)
Zagens is a desktop agent harness — Tauri 2 UI + local runtime sidecar — for Code and Office workspaces on your machine. Bring your own API key (DeepSeek or any OpenAI-compatible endpoint). Long tasks use completion gates (build/test/verify layers) so “the model said done” isn’t enough. Plus session replay, MCP/skills, embedded PTY, and Office deliverables (xlsx/docx/pptx/pdf).
Download: zagens.com/download · GitHub: github.com/didclawapp-ai/zagens · MIT licensed.
We’d love your feedback
Windows users: did the sandbox wizard make sense? Elevated vs unelevated — which path did you take?
What guardrails matter most to you — network block, profile read isolation, or approval UI?
Anything still blocking you from running agents locally on Windows?
Thanks for following along. We’re building for people who want agents that actually work on long tasks, with auditability and boundaries — not another chat window.
— The Zagens team

Replies