Building a Sandbox for Claude Code

Dec 13 2025 3 min read

I want to give Claude Code full autonomy without worrying about what it might do to my system. Here’s the sandbox setup I’ve been running for the past month.

Motivation

I want Claude to run with full autonomy, which means no permission prompts interrupting the flow. But I also don’t want it deleting my hard drive.

Goals:

  • Multiple agents running in parallel, each isolated and with full autonomy
  • Strict guardrails that don’t require constant attention

What’s Working

I’m running Claude Code inside a Docker container, heavily repurposed from Anthropic’s Dockerfile example. The container mounts the project directory, and inside the container I run Claude Code with --dangerously-skip-permissions. The container’s locked down so it can’t destroy anything else on my system, but it’s also not asking me for permission every couple minutes.

I also lean heavily on git, which functions as another layer of undo (though I suppose Claude Code could delete the .git folder if it was really feeling naughty; perhaps a future optimization!)

The container comes pre-configured with:

  • A dedicated GitHub user (not me), with SSH and GPG already set up
  • npm, uv, playwright, and other tools pre-installed
  • A network firewall

The separate GitHub identity is deliberate. It lets me see at a glance who wrote what, and pushes me to treat AI as a colleague rather than an autocomplete. I suspect we’ll see more of this pattern in the near future.

What’s Not Working

Network Firewall

I want to block outbound network traffic at the container level. Claude shouldn’t be able to exfiltrate code or hit arbitrary endpoints.

But I also want to dynamically allow things. And I don’t want Claude to be able to dynamically allow things. Right now I have a script in the container that can dynamically allow things which mean Claude can too. Which sort of defeats the purpose of a network firewall.

Agent Communication

I run 3-4 Claude instances in parallel using tmux. They don’t yet talk to each other. I’ve recently learned about git worktrees and that’s helped avoid collisions (particularly because I’ll have each agent work on a single issue / PR) but I’d like a better communication strategy, particularly with more autonomous or long lived agents. I know this is a hot topic that many people are exploring.

Outside-In Communication

Right now I interact with Claude via tmux panes in a terminal. I want more mechanisms of interacting with agents; I’d like to text from my phone, forward emails, leave comments on a Github PR and have them automatically picked up and addressed. I don’t know how to solve this yet.

Code

I expect Claude Code (or competitors) will solve most of these problems eventually. Sandboxing, agent coordination, external triggers; these are obvious next steps for the ecosystem.

In the meantime, I have a partial solution, with Claude doing most of the heavy lifting (yes, the AI built its own cage). That’s increasingly how I’m thinking about software: less “find the right tool” and more “build exactly what you need for this moment in time” (since the cost of software is dropping so dramatically; this project took me about a day and a half).

Full code lives at clankercage for your forking pleasure.