top | item 47059016

(no title)

e1g | 11 days ago

Claude Code sandboxing uses the same basic OS primitive but grants read access to the entire filesystem and includes escape hatches (some commands bypass sandboxing). Also, I wanted something solid I can use to limit every agent (OpenCode, Pi, Auggie, etc).

discuss

qalmakka|11 days ago

On Linux in a pinch you can use bubblewrap to hide and replace directories for a given process