[nowahe]

By any chance, do you know what Claude Code's sandbox feature uses under the hood and how that relates to your solution ? From what I remember it also uses the native MacOS sandbox framework, but I haven't looked too deep into it and don't trust it fully

[e1g]

Claude Code sandboxing uses the same basic OS primitive but grants read access to the entire filesystem and includes escape hatches (some commands bypass sandboxing). Also, I wanted something solid I can use to limit every agent (OpenCode, Pi, Auggie, etc).

[qalmakka]

On Linux in a pinch you can use bubblewrap to hide and replace directories for a given process

[caspar]

for anyone reading this later, claude code's sandbox code is at https://github.com/anthropic-experimental/sandbox-runtime/