diff --git a/claudebox.sh b/claudebox.sh
index efc6e43..d46dce5 100644
--- a/claudebox.sh
+++ b/claudebox.sh
@@ -62,6 +62,35 @@ if [[ "$CHECK_MODE" == true ]]; then
   fi
 fi
 
+# ANSI formatting (D-03)
+if [[ -t 2 ]] && [[ "${NO_COLOR:-}" == "" ]]; then
+  BOLD=$'\033[1m'
+  RESET=$'\033[0m'
+  DIM=$'\033[2m'
+  CYAN=$'\033[36m'
+  YELLOW=$'\033[33m'
+  GREEN=$'\033[32m'
+  RED=$'\033[31m'
+else
+  BOLD="" RESET="" DIM="" CYAN="" YELLOW="" GREEN="" RED=""
+fi
+export RED  # used by confirmation prompt (Task 2)
+
+# Mask sensitive values (D-04)
+mask_value() {
+  local name="$1" value="$2"
+  local upper="${name^^}"
+  if [[ "$upper" == *KEY* || "$upper" == *TOKEN* || "$upper" == *SECRET* || "$upper" == *PASSWORD* || "$upper" == *CREDENTIAL* ]]; then
+    if (( ${#value} > 11 )); then
+      echo "${value:0:7}...${value: -4}"
+    else
+      echo "***"
+    fi
+  else
+    echo "$value"
+  fi
+}
+
 # SANDBOX_PATH is injected by flake.nix via makeBinPath (only runtimeInputs, no host PATH)
 # Resolve binary paths from runtimeInputs
 SANDBOX_BASH="$(command -v bash)"
@@ -88,6 +117,14 @@ cat > "$GITCONFIG_TMP" <<GITEOF
     directory = *
 GITEOF
 
+# Parallel display data for env audit (D-01)
+declare -a AUDIT_SANDBOX_KEYS=()
+declare -A AUDIT_SANDBOX_VALS=()
+declare -a AUDIT_HOST_KEYS=()
+declare -A AUDIT_HOST_VALS=()
+declare -a AUDIT_EXTRA_KEYS=()
+declare -A AUDIT_EXTRA_VALS=()
+
 # Build environment --setenv args array (D-03, D-04, SAND-02, SAND-03)
 # Sandbox-generated vars -- set directly, never from host
 ENV_ARGS=(
@@ -101,11 +138,24 @@ ENV_ARGS=(
   --setenv SSL_CERT_FILE /etc/ssl/certs/ca-certificates.crt
 )
 
+# Populate sandbox audit data
+AUDIT_SANDBOX_KEYS=(HOME USER PATH SHELL TMPDIR XDG_RUNTIME_DIR NIX_SSL_CERT_FILE SSL_CERT_FILE)
+AUDIT_SANDBOX_VALS[HOME]="$HOME"
+AUDIT_SANDBOX_VALS[USER]="$USER"
+AUDIT_SANDBOX_VALS[PATH]="$SANDBOX_PATH"
+AUDIT_SANDBOX_VALS[SHELL]="$SANDBOX_BASH"
+AUDIT_SANDBOX_VALS[TMPDIR]="/tmp"
+AUDIT_SANDBOX_VALS[XDG_RUNTIME_DIR]="/tmp"
+AUDIT_SANDBOX_VALS[NIX_SSL_CERT_FILE]="/etc/ssl/certs/ca-certificates.crt"
+AUDIT_SANDBOX_VALS[SSL_CERT_FILE]="/etc/ssl/certs/ca-certificates.crt"
+
 # Allowlisted host vars -- only pass if set on host
 HOST_ALLOWLIST=(TERM EDITOR LANG LC_ALL ANTHROPIC_API_KEY)
 for var in "${HOST_ALLOWLIST[@]}"; do
   if [[ -v "$var" ]]; then
     ENV_ARGS+=(--setenv "$var" "${!var}")
+    AUDIT_HOST_KEYS+=("$var")
+    AUDIT_HOST_VALS[$var]="${!var}"
   fi
 done
 
@@ -116,10 +166,51 @@ if [[ -v CLAUDEBOX_EXTRA_ENV ]]; then
     var="${var// /}"  # trim whitespace
     if [[ -n "$var" ]] && [[ -v "$var" ]]; then
       ENV_ARGS+=(--setenv "$var" "${!var}")
+      AUDIT_EXTRA_KEYS+=("$var")
+      AUDIT_EXTRA_VALS[$var]="${!var}"
     fi
   done
 fi
 
+# Env audit display (D-01, D-02, D-03, D-04, D-07, UX-01)
+print_audit() {
+  echo "${BOLD}${CYAN}=== Sandbox Environment ===${RESET}" >&2
+  echo "" >&2
+
+  # Sandbox-generated (D-01)
+  echo "${BOLD}Sandbox-generated:${RESET}" >&2
+  for var in "${AUDIT_SANDBOX_KEYS[@]}"; do
+    if [[ "$var" == "PATH" ]]; then
+      echo "  ${GREEN}PATH=${RESET}" >&2
+      IFS=':' read -ra path_entries <<< "${AUDIT_SANDBOX_VALS[PATH]}"
+      for entry in "${path_entries[@]}"; do
+        echo "    ${DIM}${entry}${RESET}" >&2
+      done
+    else
+      echo "  ${GREEN}${var}=${RESET}$(mask_value "$var" "${AUDIT_SANDBOX_VALS[$var]}")" >&2
+    fi
+  done
+  echo "" >&2
+
+  # Host allowlisted (D-01)
+  if (( ${#AUDIT_HOST_KEYS[@]} > 0 )); then
+    echo "${BOLD}Host (allowlisted):${RESET}" >&2
+    for var in "${AUDIT_HOST_KEYS[@]}"; do
+      echo "  ${YELLOW}${var}=${RESET}$(mask_value "$var" "${AUDIT_HOST_VALS[$var]}")" >&2
+    done
+    echo "" >&2
+  fi
+
+  # Extra from CLAUDEBOX_EXTRA_ENV (D-01)
+  if (( ${#AUDIT_EXTRA_KEYS[@]} > 0 )); then
+    echo "${BOLD}Extra (CLAUDEBOX_EXTRA_ENV):${RESET}" >&2
+    for var in "${AUDIT_EXTRA_KEYS[@]}"; do
+      echo "  ${YELLOW}${var}=${RESET}$(mask_value "$var" "${AUDIT_EXTRA_VALS[$var]}")" >&2
+    done
+    echo "" >&2
+  fi
+}
+
 # Build sandbox command
 if [[ "$SHELL_MODE" == true ]]; then
   SANDBOX_CMD=("$SANDBOX_BASH" "${CLAUDE_ARGS[@]}")