[semi-extrinsic]

IIUC your talk "just" suggests using sandbox-exec on Mac, which (as you point out) is sadly labeled as deprecated.

Is that really the best solution the world has to offer in 2025? LLMs aside, there is a whole host of supply chain risk issues that would be resolved by deploying convenient and strong sandboxes everywhere.

[simonw]

My preferred solutions right now:

1. A sandbox on someone else's computer. Claude Code for web, Codex Cloud, Gemini Jules, GitHub Codespaces, ChatGPT/Claude Code Interpreter

2. A Docker container. I think these are robust enough to be safe.

3. sandbox-exec related tricks. I haven't poked hard enough at Claude Code's new sandbox-exec sandbox yet - they only released it on Monday. OpenAI Codex CLI was using sandbox-exec too last time I looked but again, I've not reviewed it enough to be comfortable with it.

I'm hoping more credible options come along for the sandboxing problems.

[mentalgear]

I found Vibekit's (open-source https://docs.vibekit.sh/sdk) approach of allowing you to chose your own sandboxing solution for any coding cli the most flexible. Also works with openCode and local or cloud sandboxes ! Really quality piece of software that more devs should know about. I'm surprised Simon hasn't tried it yet.

[knowaveragejoe]

If I understand correctly, Claude Code will(shortly, if not already) make use of Anthropic's sandbox that wraps Seatbelt on OS X, not sandbox-exec?

It's cool that they made this open source. It seems straightforward and useful enough that it could be used on its own for sandboxing purposes.

https://docs.claude.com/en/docs/claude-code/sandboxing

https://github.com/anthropic-experimental/sandbox-runtime

[simonw]

That library is using sandbox-exec to access Seatbelt: https://github.com/anthropic-experimental/sandbox-runtime/bl...

[simonw]

Yeah they shipped that feature on Monday, you can access it via the /sandbox command. I haven't put it through its paces enough to get a feel for if I trust it yet though.