Open your Claude Code project in a lightweight sandbox, and avoid unwanted surprises.

Platforms: Linux (stable), macOS (experimental)

The project shadows your $HOME, so no credentials are accessible (except ~/.claude). The project parent folder is mounted read-only so it's possible to access other dependencies.

This project is best used with numtide/llm-agents.nix to get fresh Claude Code versions (among others).

nix run github:numtide/claudebox

Or add to your flake inputs:

{
  inputs.claudebox.url = "github:numtide/claudebox";
}

claudebox [OPTIONS]

• --allow-ssh-agent - Allow access to SSH agent socket (for git operations)
• --allow-gpg-agent - Allow access to GPG agent socket (for signing)
• --allow-xdg-runtime - Allow full XDG runtime directory access
• -h, --help - Show help message

# Run with default settings
claudebox

# Allow SSH agent for git operations
claudebox --allow-ssh-agent

Settings can be stored in ~/.config/claudebox/config.json (or $XDG_CONFIG_HOME/claudebox/config.json). CLI arguments override config file settings.

{
  "allowSshAgent": false,
  "allowGpgAgent": false,
  "allowXdgRuntime": false
}

• Lightweight sandbox using bubblewrap (Linux) or sandbox-exec (macOS)
• Disables telemetry and auto-updates
• Uses --dangerously-skip-permissions (safe in sandbox)

By default, claudebox blocks access to /run/user/$UID (the XDG runtime directory). This directory contains security-sensitive sockets:

Use the --allow-* flags to selectively enable access when needed:

# Allow SSH agent for git push/pull with SSH keys
claudebox --allow-ssh-agent

# Allow GPG agent for commit signing
claudebox --allow-gpg-agent

# Allow full XDG runtime access (use with caution)
claudebox --allow-xdg-runtime

Not a security boundary - designed for transparency, not isolation.

MIT