Sandbox
The sandbox runs AI CLI tools inside a bubblewrap (bwrap) container that restricts filesystem access, network egress, and environment variables. When an AI tool executes code — installing packages, running scripts, making API calls — the sandbox limits what that code can reach.
Linux only. macOS and Windows are not supported.
What gets sandboxed
Section titled “What gets sandboxed”The sandbox enforces three boundaries:
Filesystem. The sandboxed process can only see your current working directory. The rest of the filesystem is hidden. This prevents AI-generated code from reading or modifying files outside the project.
Network. Outbound connections are blocked by default. You explicitly allow specific domains (for API calls) and localhost ports (for local dev servers). Everything else is denied.
Environment variables. Only env vars you explicitly allow are passed into the sandbox. API keys, tokens, and other secrets in your shell environment stay outside unless you opt them in.
Prerequisites
Section titled “Prerequisites”Two system packages must be installed:
- bubblewrap (
bwrap) >= 0.4.0 — the container runtime - socat >= 1.7.0 — used for network proxying through the sandbox boundary
Install them with your system package manager:
# Debian / Ubuntusudo apt install bubblewrap socat
# Fedorasudo dnf install bubblewrap socat
# Archsudo pacman -S bubblewrap socatVerify everything is ready:
syllago sandbox checkTo also verify that a specific provider works inside the sandbox:
syllago sandbox check claude-codeRunning a provider in the sandbox
Section titled “Running a provider in the sandbox”Once prerequisites are in place, run any provider inside the sandbox:
syllago sandbox run claude-codeThis starts the provider with filesystem, network, and env var restrictions active. The provider works normally from the user’s perspective, but its access is constrained to what you’ve allowed.
One-off overrides
Section titled “One-off overrides”You can extend the sandbox for a single session without changing your saved configuration:
# Allow an extra domain for this session onlysyllago sandbox run claude-code --allow-domain api.example.com
# Forward an extra env var into the sandboxsyllago sandbox run claude-code --allow-env MY_API_KEY
# Allow a localhost port (e.g., a local dev server)syllago sandbox run claude-code --allow-port 3000
# Mount an additional path read-onlysyllago sandbox run claude-code --mount-ro /usr/share/dict
# Block all network (no proxy at all)syllago sandbox run claude-code --no-networkThese flags can be combined and repeated.
Configuring allowed access
Section titled “Configuring allowed access”The sandbox maintains persistent allowlists for domains, ports, and env vars. These apply every time you run sandbox run.
Domains
Section titled “Domains”Domains control which hosts the sandboxed process can reach over the network.
# Allow a domainsyllago sandbox allow-domain api.anthropic.com
# Remove a domainsyllago sandbox deny-domain api.anthropic.com
# List all allowed domainssyllago sandbox domainsLocalhost ports
Section titled “Localhost ports”Ports control which localhost services are reachable from inside the sandbox. Useful for local dev servers, databases, or other services running on your machine.
# Allow a portsyllago sandbox allow-port 8080
# Remove a portsyllago sandbox deny-port 8080
# List all allowed portssyllago sandbox portsEnvironment variables
Section titled “Environment variables”Env vars control which shell variables are passed into the sandbox. By default, none are forwarded — the sandbox starts with a clean environment.
# Allow an env varsyllago sandbox allow-env ANTHROPIC_API_KEY
# Remove an env varsyllago sandbox deny-env ANTHROPIC_API_KEY
# List all allowed env varssyllago sandbox envInspecting the configuration
Section titled “Inspecting the configuration”To see the effective sandbox configuration (all allowed domains, ports, and env vars):
syllago sandbox infoTo see the configuration that would apply to a specific provider:
syllago sandbox info claude-codeTypical setup
Section titled “Typical setup”A practical setup for using Claude Code in the sandbox:
# 1. Check prerequisitessyllago sandbox check claude-code
# 2. Allow the API endpointsyllago sandbox allow-domain api.anthropic.com
# 3. Pass through the API keysyllago sandbox allow-env ANTHROPIC_API_KEY
# 4. Allow a local dev server if neededsyllago sandbox allow-port 3000
# 5. Run itsyllago sandbox run claude-codeAfter initial setup, step 5 is the only one you repeat. The allowlists persist across sessions.
Related
Section titled “Related”- CLI reference: sandbox commands — full flag and option details for all sandbox subcommands
- CLI reference: sandbox run — all flags for
sandbox run - CLI reference: sandbox check — prerequisite verification