pi-bash-readonly
Sandboxed read-only bash for Pi agents via bwrap.
When this extension is active, every bash tool call runs inside a bwrap sandbox where the entire filesystem is mounted read-only. By default nothing is writable — truly read-only.
This uses Linux mount namespaces. Unlike regex-based command filtering, writes are blocked at the filesystem level — from any language runtime (Python, Perl, dd, etc.).
Why
Pi agents can run arbitrary bash commands. For agents that should only read code (reviewers, scouts, auditors), you want a guarantee that bash can't modify anything — not just a prompt instruction that can be ignored.
pi-bash-readonly provides that guarantee at the OS level. A read-only bind mount cannot be bypassed from userspace, regardless of what the LLM tries.