claude-sandbox

bwrap-isolated Claude Code for Debian/Ubuntu devcontainers (rootless Podman is the supported runtime; rootless Docker works too). A hostile prompt, file, or tool result cannot reach your host credentials, IDE bridges, or shell environment. The protection is launch-time: plain claude resolves to a shadow that wraps the real binary in bwrap, and a global integrity guard fails loud and closed if it is ever launched unwrapped. By default Claude also runs in a per-process egress jail (ADR 0015) that blackholes RFC1918 internal networks, so a compromised session can’t pivot sideways to internal hosts or lab devices while the internet, DNS, and configured allow-ip devices stay reachable.

How the documentation is structured

Tutorials

Guided lessons that take you from nothing to a working sandbox.

• Tutorials
  • Getting started

How-to Guides

Focused recipes for specific tasks you already have in mind.

• How-to Guides
  • Authenticate with forges
  • Make extra paths writable
  • Contribute to claude-sandbox
  • Configure the network egress jail
  • Persist your login and memory across rebuilds
  • Promote a host workspace
  • Run without push access
  • Upgrade claude-sandbox
  • Verify the sandbox

Reference

Dry, factual lookup: config keys, paths, checks, and flags.

• Reference
  • Configuration
  • Deliberately exposed and out of scope
  • Locked-down defences
  • Verification checks
  • What’s installed

Explanations

The why behind the design: threat model, sandbox rationale, and the network egress jail.

• Explanations
  • Architecture
  • Architectural Decision Records
  • The integrity guard
  • Sandbox internals: design rationale
  • Threat model