diff --git a/.planning/seeds/SEED-001-agent-agnostic.md b/.planning/seeds/SEED-001-agent-agnostic.md
new file mode 100644
index 0000000..f5f7608
--- /dev/null
+++ b/.planning/seeds/SEED-001-agent-agnostic.md
@@ -0,0 +1,44 @@
+---
+id: SEED-001
+status: dormant
+planted: 2026-04-09
+planted_during: v1.0 / Phase 1
+trigger_when: v2.0 milestone
+scope: Large
+---
+
+# SEED-001: Make claudebox agent-agnostic
+
+## Why This Matters
+
+claudebox currently hardcodes Claude Code as the sandboxed agent. But the bwrap sandbox pattern (clearenv, filesystem isolation, secret hiding, tool provisioning) is equally useful for other AI coding agents — Codex, Gemini CLI, OpenRouter-based tools, etc. Making the sandbox agent-agnostic turns claudebox from a single-tool wrapper into a general-purpose AI sandbox that works with whatever agent the user prefers.
+
+## When to Surface
+
+**Trigger:** v2.0 milestone — when starting the next major version after the Claude-specific sandbox is stable and proven.
+
+This seed should be presented during `/gsd-new-milestone` when the milestone scope matches any of these conditions:
+- Multi-agent or agent-agnostic support is discussed
+- v2.0 planning begins
+- User wants to support additional AI coding tools
+
+## Scope Estimate
+
+**Large** — full milestone. Requires rethinking the command structure (agent selection via flag or config), agent-specific env var allowlists, agent-specific binary resolution, and potentially different bwrap mount profiles per agent (e.g., Codex may need different paths than Claude).
+
+## Breadcrumbs
+
+Related code and decisions in the current codebase:
+
+- `claudebox.sh` — `CLAUDE_BIN` resolution and `--dangerously-skip-permissions` are Claude-specific
+- `flake.nix` — `claude-code` is a hardcoded runtimeInput via `nix-claude-code` flake
+- `.planning/phases/01-minimal-viable-sandbox/01-01-PLAN.md` — threat model assumes Claude Code specifically
+- `CLAUDEBOX_EXTRA_ENV` escape hatch already provides a pattern for agent-specific env needs
+
+## Notes
+
+Key design questions for v2.0:
+- Should agents be selectable via `claudebox --agent codex` or via config file?
+- Should each agent have its own env allowlist profile?
+- Rename from "claudebox" to something agent-neutral? (breaking change)
+- The `--dangerously-skip-permissions` flag is Claude-specific — other agents have different permission models