claude-code with --dangerously-skip-permissions, minus the danger

ai-safety claude-code cli developer-tools go nix nix-flake nixos security

Find a file

Christopher Mühl 6465da8583 feat(04-01): add credential file mount for OAuth passthrough - Add CREDS_FILE/CREDS_MOUNT detection after mkdir ~/.claudebox - Conditional --bind in exec bwrap via BWRAP_ARGS array - Mirror conditional bind in --dry-run display block - Read-write mount (not ro-bind) for OAuth token refresh - Silent skip when credentials file absent (no error/warning) - Refactor exec bwrap to BWRAP_ARGS array for conditional mount support		2026-04-10 09:20:18 +00:00
.planning	feat(04-01): add credential file mount for OAuth passthrough	2026-04-10 09:20:18 +00:00
CLAUDE.md	docs: create roadmap (3 phases)	2026-04-09 10:32:35 +02:00
claudebox.sh	feat(04-01): add credential file mount for OAuth passthrough	2026-04-10 09:20:18 +00:00
flake.lock	fix: SHELL path, PATH isolation, --shell flag, nix-claude-code input	2026-04-09 14:59:43 +02:00
flake.nix	fix: SHELL path, PATH isolation, --shell flag, nix-claude-code input	2026-04-09 14:59:43 +02:00
README.md	docs: fix remote URL and add flake usage to README	2026-04-09 22:04:41 +02:00

README.md

claudebox

Run Claude Code inside a bubblewrap sandbox with an allowlisted environment, explicit filesystem mounts, and a minimal PATH.

SSH keys, GPG/age secrets, cloud tokens, and Tailscale state stay completely invisible to the AI agent. If a secret is accessible inside the sandbox, it's a bug.

Quick start

nix run git+https://git.toph.so/toph/claudebox

Or add to your flake:

{
  inputs.claudebox.url = "git+https://git.toph.so/toph/claudebox";
}

Then add inputs.claudebox.packages.${system}.default to your environment.systemPackages or home-manager packages.

What it does

Starts Claude Code inside a bwrap namespace with --clearenv
Only allowlisted env vars enter the sandbox (HOME, PATH, TERM, EDITOR, LANG, ANTHROPIC_API_KEY)
Mounts CWD read-write, Nix store read-only, everything else is tmpfs
Provides nix shell and comma (, <tool>) so Claude can install tools on demand
Injects a SANDBOX.md so Claude knows it's sandboxed and how to get tools
Pre-configures git identity and safe.directory from host

Flags

Flag	Description
`--yes`, `-y`	Skip the env audit and launch immediately
`--dry-run`	Print the bwrap command without executing
`--check`	Verify prerequisites and exit
`--shell`	Drop into a bash shell instead of Claude Code
`--`	Pass remaining args to Claude Code

Extra env vars

Pass additional host variables into the sandbox:

CLAUDEBOX_EXTRA_ENV=MY_VAR,OTHER_VAR claudebox

How it works

~/.claudebox/          # persistent config dir (host)
├── CLAUDE.md          # user-owned, claudebox ensures @SANDBOX.md import
└── SANDBOX.md         # managed by claudebox, overwritten each launch

Inside the sandbox:
  ~/.claudebox  →  bind-mounted from host
  ~/.claude     →  symlink to ~/.claudebox

Claude Code reads ~/.claude/CLAUDE.md which imports @SANDBOX.md via Claude's @-import syntax. Both ~/.claude and ~/.claudebox resolve to the same directory inside the sandbox, so hook paths and settings work without fixups.

Requirements

NixOS or Nix with flakes enabled
User namespaces (enabled by default on NixOS)
ANTHROPIC_API_KEY set in your environment

License

MIT