---
id: SEED-001
status: dormant
planted: 2026-04-09
planted_during: v1.0 / Phase 1
trigger_when: v2.0 milestone
scope: Large
---

# SEED-001: Make claudebox agent-agnostic

## Why This Matters

claudebox currently hardcodes Claude Code as the sandboxed agent. But the bwrap sandbox pattern (clearenv, filesystem isolation, secret hiding, tool provisioning) is equally useful for other AI coding agents — Codex, Gemini CLI, OpenRouter-based tools, etc. Making the sandbox agent-agnostic turns claudebox from a single-tool wrapper into a general-purpose AI sandbox that works with whatever agent the user prefers.

## When to Surface

**Trigger:** v2.0 milestone — when starting the next major version after the Claude-specific sandbox is stable and proven.

This seed should be presented during `/gsd-new-milestone` when the milestone scope matches any of these conditions:
- Multi-agent or agent-agnostic support is discussed
- v2.0 planning begins
- User wants to support additional AI coding tools

## Scope Estimate

**Large** — full milestone. Requires rethinking the command structure (agent selection via flag or config), agent-specific env var allowlists, agent-specific binary resolution, and potentially different bwrap mount profiles per agent (e.g., Codex may need different paths than Claude).

## Breadcrumbs

Related code and decisions in the current codebase:

- `claudebox.sh` — `CLAUDE_BIN` resolution and `--dangerously-skip-permissions` are Claude-specific
- `flake.nix` — `claude-code` is a hardcoded runtimeInput via `nix-claude-code` flake
- `.planning/phases/01-minimal-viable-sandbox/01-01-PLAN.md` — threat model assumes Claude Code specifically
- `CLAUDEBOX_EXTRA_ENV` escape hatch already provides a pattern for agent-specific env needs

## Notes

Key design questions for v2.0:
- Should agents be selectable via `claudebox --agent codex` or via config file?
- Should each agent have its own env allowlist profile?
- Rename from "claudebox" to something agent-neutral? (breaking change)
- The `--dangerously-skip-permissions` flag is Claude-specific — other agents have different permission models