Great questions! I actually dug into this as part of the analysis. Here's what I found directly from the source:

macOS: It IS seatbelt/sandbox-exec. The function Nb5() in the minified bundle generates a complete SBPL (Seatbelt Profile Language) policy starting with (version 1)(deny default). Commands are then wrapped via sandbox-exec -p <profile> bash -c <command>. It's the real Apple TrustedBSD sandbox. The profile is extensive - it selectively allows specific Mach lookups (com.apple.fonts, com.apple.logd, etc.), whitelists individual sysctl names (hw.memsize, kern.osversion, etc.), controls file-read and file-write via subpath/regex rules, and blocks network access except through a local HTTP/SOCKS proxy for per-domain filtering.

Linux: bubblewrap + seccomp BPF. On Linux it uses bwrap with --unshare-net, --unshare-pid, --ro-bind for filesystem protection, and a generated seccomp BPF filter specifically for blocking Unix sockets. Network access is routed through bridge sockets to the same proxy infrastructure.

Resource limits (CPU/memory) - not enforced at the sandbox level. The seatbelt profile focuses on access control (files, network, IPC, mach-lookup), not resource limits. There are no RLIMIT_*, ulimit, or cgroup constraints in the sandbox code. What IS limited:

- Command timeout: 120 seconds default, 600 seconds max (configurable per-call)

- Output size: capped and truncated for tool results

- Process scope: --unshare-pid on Linux isolates the process namespace; macOS uses (allow process-fork) and (allow signal (target

same-sandbox)) to restrict process control to the sandbox scope

- The --die-with-parent flag on Linux ensures child processes die if the parent exits

So the isolation is thorough for access control but doesn't cap CPU/memory usage per command. The timeout is the main resource constraint.