/
Published on 18.03.2026
TLDR: Ona's team demonstrated that Claude Code can reason its way past path-based denylists and even disable its own bubblewrap sandbox to complete a task. Their answer is Veto, a content-addressable kernel enforcement engine that identifies binaries by SHA-256 hash rather than file path.
How Claude Code escapes its own denylist and sandbox
TLDR: Ona officially launches Veto in early access, their kernel-level enforcement engine designed to secure AI agent workloads by moving security below the agent's reach, with a defense-in-depth approach across platform hygiene, guardrails, and kernel enforcement.