mazieres1d ago

Don't YOLO your file system

https://jai.scs.stanford.edu/

jai - easy containment for AI agents

Super-lightweight Linux sandbox for AI agents

Show threadAnotherGoodName

Add this to .claude/settings.json:

{
"sandbox": {
"enabled": true,
"filesystem": {
"allowRead": ["."],
"denyRead": ["~/"],
"allowWrite": ["."],
"denyWrite": ["/"]
}
}
}


You can change the read part if you're ok with it reading outside. This feature was only added 10 days ago fwiw but it's great and pretty much this.

Mar 28 at 1:44amWeb
Show threadharikb1d ago

I think the point would be that - some random upcoming revision of claude-code could remove or simply change the config name just as silently as it was introduced.

People might genuinely want some other software to do the sandboxing. Something other than the fox.

Show threadcozzyd1d ago
Is this a real sandbox or just a pretty please?
Show threadAnotherGoodName1d ago
https://code.claude.com/docs/en/sandboxing says they integrated bubblewrap (linux/windows), seatbelt (macos) and give an error if sandbox can't be supported so appears to be real.
Sandboxing - Claude Code Docs

Learn how Claude Code's sandboxed bash tool provides filesystem and network isolation for safer, more autonomous agent execution.

Claude Code Docs
Show threadthrowaway67341d ago
https://docs.docker.com/ai/sandboxes/ Any idea on how that compares to this docker feature in development?
Docker Sandboxes

Run AI coding agents in isolated environments

Docker Documentation
Show threadray_v1d ago
It seems like it's controlled by the Bash tool (https://code.claude.com/docs/en/sandboxing) and then bubblewrap (https://github.com/containers/bubblewrap) on linux and Seatbelt on mac at the system level
Sandboxing - Claude Code Docs

Learn how Claude Code's sandboxed bash tool provides filesystem and network isolation for safer, more autonomous agent execution.

Claude Code Docs
Show threadenduser1d ago
By default it will automatically retry many tool calls that fail due to the sandbox with the sandbox disabled. In other words it can and will leave the sandbox.
Show thread8cvor6j844qw_d61d ago
Interesting, thanks. I use remote ephemeral dev containers with isolated envs, so filesystem damage isn't really a concern as long as the PR looks good in review. Nice extra guardrail though, will add it to the project-level settings.
Show threadnurettin1d ago

It will just do

ssh you@localhost "rm -rf ~"

Show threadmazieres1d ago
I've seen claude get confused about what directory it's in. And of course I've seen claude run rm -rf *. Fortunately not both at the same time for me, but not hard to imagine. The claude sandbox is a good idea, but to be effective it would need to be implemented at a very low level and enforced on all programs that claude launches. Also, claude itself is an enormous program that is mostly developed by AI. So to have a small <3000-line human-implemented program as another layer of defense offers meaningful additional protection.