Excess of authority hint: Claude. Codes are safer and more autonomous.

Get Developer Communications

Product upgrading, operating methods, community focus, etc. Send it to your inbox every month.

Yes. Claude. , Claude prepares, tests and debugs with you, navigates your code library, edits multiple files and runs commands to verify your work. Providing Claude with so many access rights to the code library and documents may pose risks, especially in cases of infusion.

To help solve this problem, we have introduced two new sandbox-based features in Claude Code, both of which are designed to provide a safer workplace for developers, while allowing Claude to operate more autonomously and reduce privileges. In our internal use, we found that sandboxes can safely reduce access tips by 84 per cent. By defining the boundaries within which Claude can work freely, they have added security and agency.

Claude Code runs on a rights-based model: by default, it is read-only, which means that it requests permission before making changes or running any order. There are some exceptions: we automatically allow security orders, such as echo or cat, but most operations still require clear approval.

Continuing to click on “approval” slows the development cycle and may lead to “approval fatigue”, and users may not be paying close attention to what they are approving, thereby reducing the security of development.

To solve this problem, we started sandboxes for Claude Code.

Sandboxes create predefined boundaries in which Claude can work more freely than ask permission for each operation. Once the sandbox is enabled, you will be given a considerably reduced access and security.

Our sandboxing method is based on operating system-level functionality to achieve two boundaries:

It is noteworthy that effective sandboxes require segregation of document systems and networks. If there is no network isolation, infected agents may leak sensitive documents such as SSH keys; if there is no document system isolation, infected agents can easily escape the sandbox and obtain access to the network. By using these two technologies, we can provide Claude Code users with a safer and faster proxy experience.

We introduced a new sandbox, which is available as a research preview in the test version, which allows you to define the directory and web host that the agent can access without having to start and manage the container's cost. This can be used for any sandbox process, agent and MCP Server. It can also be provided as an open source research preview.

In Claude Code, we use this run-in sandbox bash tool, which allows Claude to run the command within the definition limit you set. In the safe sandbox, Claude can operate more autonomously and safely to carry out his orders without the requirement of a right-of-control reminder. If Claude tries to access content outside the sandbox, you will be notified immediately and you can choose whether or not to allow it.

We build it in the original language at the operating system level (e.g. Linux bubblewrap and MacOS seatbelts) to enforce these restrictions at the operating system level. They cover not only the direct interaction of Claude Code, but also any script, program or subprocess generated by the order. As noted above, the sandbox is enforced as follows:

Both components are configured: you can easily choose to allow or ban specific file paths or fields.

Sandboxes ensure that even successful infusion is completely isolated and does not affect the safety of the entire user. Thus, the damaged Claude code cannot steal your SSH key or connect to the attacker's server by telephone.

To start using this function, run /sandbox in Claude Code and see more technical details about our security model.

In order to make it easier for other teams to build more secure agents, we started this function. We believe that others should consider adopting this technology for their agents in order to enhance their security.

Today, we also posted Claude Code on the Internet, which allows users to run Claude Code in a sandbox in the clouds. Claude Code on the network executes every Claude Code session in the isolated sandbox, where it can access its servers in a safe and secure manner. We designed this sandbox to ensure that sensitive documents (such as guit certificates or signature keys) never appear in Claude Code's sandbox. In this way, even if the code running in the sandbox is damaged, the user is protected from further harm.

The network Claude Code uses the custom agent service to handle all guit interactions transparently. In sandboxes, the git client uses a self-defined range to certify the service. Proxy to verify the content of this certificate and the guit interface (e. g. ensure that it is only pushed to the configuration branch) and then send the request to GitHub Other Organiser

Our new sandbox bash tool and network, Claude Code, provides a major improvement in safety and productivity for developers who work with Claude.

To start using these tools:

Or, if you are building your own agent, look at our open-source sandbox code and consider integrating it into your work. We look forward to seeing what you're building.

For more information about Claude Code on the Internet, look at our postings.

Articles by David Dworken and Oliver Weller-Davis, Meaghan Choi, Catherine Wu, Molly Vorwerck, Alex Isken, Kier Bradwell and Kevin Garcia

Product upgrading, operating methods, community focus, etc. Send it to your inbox every month.