>>speckx+(OP)
As a heads up and affirmation that the approach is correct, here's a small shell bubblewrap wrapper that boils the command line down to `sandbox-run claude --dangerously-skip-permissions`.

https://github.com/sandbox-utils/sandbox-run

>>speckx+(OP)
I like this approach for Nix: https://dev.to/andersonjoseph/how-i-run-llm-agents-in-a-secu... It makes it also easy to give the agent only access to the tools it actually needs.

>>mugges+eG
My app does this on macOS! https://multitui.com

>>aflag+iG
I recently blogged about how I do this using MicroVMs on NixOS: https://michael.stapelberg.ch/posts/2026-02-01-coding-agent-...

>>mugges+eG
There's https://code.claude.com/docs/en/sandboxing that uses something called Seatbelt on Mac and bubblewrap (the same thing I used here) on Linux.

No idea how customizable that is.

>>speckx+(OP)
I use Leash [1] [2] for sandboxing my agents (to great effect!). I've been very happy with it, it provides strict policy-level control for all process-level + network-level activity, as well as full visibility and dynamic runtime controls via WebUI. Way better than bubblewrap imo.

I originally saw it here on HN and have been hooked ever since.

[1] Screenshot: https://camo.githubusercontent.com/99b9e199ffb820c27c4e977f2...

[2] https://github.com/strongdm/leash

Fun fact: Do you know what container / sandboxing system is in most widespread use? Not docker containers, certainly not bubblewrap, and not even full VMs or firecracker. It's Chrome tabs.

>>speckx+(OP)
This is the way to go! On my side I've build a very small `claude-vm` wrapper to run each instance in a VM with Lima: https://github.com/sylvinus/agent-vm

>>jaunty+zA
> Part #2 to me, I also want observability as to what the agent changed.

You could potentially combine https://github.com/binpash/try with bubblewrap (I'm not sure how well they compose and as the docs say it isn't a full sandbox).

The good (and bad because it's confusing and can lead to surprises if misconfigured) thing about Linux containers is all the pieces of containers can be used independently. The "try" tool lets you use the overlay part of containers on your host system, just like Bubblewrap lets you combine the namespacing parts of containers with your host system.

>>speckx+(OP)
I went exactly the same route: https://kaveh.page/blog/claude-code-sandbox

>>necove+s71
Yes, Chromium has "native" sandboxing on all those platforms, Windows [0] Linux [1] and MacOS [2].

Chromium uses both seccomp filtering as well as user namespaces (the technology that Docker/Podman use).

The Windows and MacOS sandboxing strategies are more "interesting" because I've seen very few (open source) programs that use those APIs as extensively as Chromium. On Windows, it makes use of AppContainer [3] (among other things), while on MacOS it uses the sparsely documented sandbox API [4], which I think was based on code from TrustedBSD?

[0] https://chromium.googlesource.com/chromium/src/+/HEAD/docs/d...

[1] https://chromium.googlesource.com/chromium/src/+/HEAD/sandbo...

[2] https://www.chromium.org/developers/design-documents/sandbox...

[3] https://learn.microsoft.com/en-us/windows/win32/secauthz/app...

[4] https://manp.gs/mac/7/sandbox

>>speckx+(OP)
I ended up writing my own sandbox so that it works on Mac OS as well and can be used for other tools (but just AI agents) as well

https://github.com/ashishb/amazing-sandbox

>>mugges+eG
Try https://github.com/ashishb/amazing-sandbox

>>speckx+(OP)
This one was posted here recently; works quite well for me:

https://github.com/lukehinds/nono

>>jaunty+zA
Bubblewrap supports overlayfs mounts [1]. Seems like you should be able to replicate that flow with it.

[1] https://github.com/containers/bubblewrap/issues/412

>>speckx+(OP)
My attempt at a portable solution: Linux VM inside WASM for sandboxed execution: http://agentvm.deepclause.ai

Minimal dependencies, but not as fast as containers or bubblewrap.