diff --git a/claudebox.sh b/claudebox.sh
index bc2ebbd..b15ded8 100644
--- a/claudebox.sh
+++ b/claudebox.sh
@@ -82,6 +82,41 @@ else
   SANDBOX_CMD=("$CLAUDE_BIN" --dangerously-skip-permissions "${CLAUDE_ARGS[@]}")
 fi
 
+# --dry-run: print the bwrap command without executing (D-09, UX-04)
+if [[ "$DRY_RUN" == true ]]; then
+  {
+    echo "bwrap \\"
+    echo "  --clearenv \\"
+    dry_run_i=0
+    while (( dry_run_i < ${#ENV_ARGS[@]} )); do
+      printf '  %s %s %q \\\n' "${ENV_ARGS[$dry_run_i]}" "${ENV_ARGS[$((dry_run_i+1))]}" "${ENV_ARGS[$((dry_run_i+2))]}"
+      (( dry_run_i += 3 ))
+    done
+    echo "  --tmpfs / \\"
+    echo "  --proc /proc \\"
+    echo "  --dev /dev \\"
+    echo "  --tmpfs /tmp \\"
+    echo "  --ro-bind /nix/store /nix/store \\"
+    echo "  --bind /nix/var/nix /nix/var/nix \\"
+    echo "  --ro-bind /etc/resolv.conf /etc/resolv.conf \\"
+    echo "  --ro-bind /etc/ssl /etc/ssl \\"
+    echo "  --ro-bind /etc/static /etc/static \\"
+    echo "  --ro-bind /etc/passwd /etc/passwd \\"
+    echo "  --ro-bind /etc/group /etc/group \\"
+    echo "  --ro-bind /etc/hosts /etc/hosts \\"
+    echo "  --ro-bind /etc/nsswitch.conf /etc/nsswitch.conf \\"
+    echo "  --ro-bind /etc/nix /etc/nix \\"
+    printf '  --symlink %q /usr/bin/env \\\n' "$(readlink -f "$(command -v env)")"
+    echo "  --tmpfs $HOME \\"
+    echo "  --bind $HOME/.claudebox $HOME/.claude \\"
+    printf '  --ro-bind %q %s/.gitconfig \\\n' "$GITCONFIG_TMP" "$HOME"
+    echo "  --bind $CWD $CWD \\"
+    echo "  --chdir $CWD \\"
+    printf '  -- %s\n' "${SANDBOX_CMD[*]}"
+  } >&2
+  exit 0
+fi
+
 # exec bwrap (SAND-04 through SAND-15, UX-06, D-01)
 exec bwrap \
   --clearenv \