macOS Seatbelt sandbox blocks outbound DNS resolution in Agent mode

[francofang]

macOS Seatbelt sandbox blocks outbound DNS resolution in Agent mode

Summary

Shell commands that require outbound network access (e.g. fetching YouTube content) fail with DNS resolution errors in Agent mode, but work correctly in YOLO mode on the same machine.

Environment

• deepseek-tui 0.8.1
• macOS (Apple Silicon, aarch64)
• Sandbox: macos-seatbelt (as reported by deepseek doctor)
• sandbox_mode: workspace-write (default)

Steps to Reproduce

1. Start DeepSeek TUI in Agent mode (default).
2. Ask the agent to fetch or process content from an external URL (e.g. YouTube).
3. The agent attempts a shell command involving DNS resolution (curl, wget, etc.).
4. DNS resolution fails.

Expected Behavior

After the user approves the shell command, it should execute with full network access, same as running the command directly in the terminal.

Actual Behavior

The command runs inside the Seatbelt sandbox, which blocks DNS resolution. Error message:

DNS resolution failed for YouTube. This is a network issue — the sandbox can't reach YouTube's servers.

Workaround

Switching to YOLO mode resolves the issue, as commands bypass the Seatbelt sandbox wrapper.

Investigation

• Confirmed the issue is not a general network problem — Claude Code and OpenAI Codex execute identical network commands without issue on the same machine.
• Adding sandbox_mode = "danger-full-access" and configuring [network] default = "allow" with explicit domain allowlists in config.toml had no effect. Only switching to YOLO mode resolved it.
• This suggests the Seatbelt profile compiled into the binary restricts outbound network access at the OS level, and user-facing config options cannot override it.

Suggestion

Consider either:

• Allowing outbound network access in the Seatbelt profile after the user has explicitly approved the command (the approval step already provides the safety gate).
• Exposing a config option that controls whether approved shell commands run inside or outside the Seatbelt sandbox.
• Documenting this limitation for macOS users.

[Hmbown]

Confirmed your diagnosis. Independently traced the same root cause and posted a draft PR before seeing this issue (#273 was the dup; closing it in favor of yours).

The Seatbelt profile is generated dynamically per call from `crates/tui/src/sandbox/seatbelt.rs:139-178`, and it only emits `(allow network-outbound)` / `(allow system-socket)` when the policy's `network_access` flag is true. The default `SandboxPolicy::WorkspaceWrite` has `network_access: false`, so by default — including in Agent mode — every outbound socket call gets denied at the kernel level. `getaddrinfo` fails first; that's the DNS error you saw. `config.toml` doesn't override it because the policy in the live runtime is built from `SandboxPolicy::default()` in code, not from your config — that's a separate gap.

Yolo works because `engine.rs::build_tool_context` only elevates the policy to `network_access: true` for that one mode (`crates/tui/src/core/engine.rs:1198`).

Draft PR: #274. Three-line shape change so Agent + Yolo both elevate to network-on; Plan stays at the strict default (read-only investigation never registers the shell tool). Adds a regression test so a revert lights up CI.

Trade-off worth flagging: today the application-level `NetworkPolicy` (`crates/tui/src/network_policy.rs`) only intercepts `fetch_url`, not shell commands. The Seatbelt block was kind-of plugging that hole on macOS. With the PR landed, `curl` could reach a host `NetworkPolicy` denies. Filed as a follow-up rather than blocking the user-visible fix.

Holding the PR as a draft until the maintainer signs off on the security tradeoff.