[crabmusket]

While we're all here - share your actual sandboxing tips!

I've been running Claude Code inside VS Code devcontainers. Claude's docs have a suggested setup for this which even includes locking down outgoing internet access to an approved domain list.

Unfortunately our stack doesn't really fit inside a devcontainer without docker-in-docker, so I'm only getting Claude to run unit tests for now. And integration with JJ workspaces is slightly painful.

I'm this close to trying a full VM setup with Vagrant.

[colek42]

We started a "science project" taking concepts from Multi Level Security to constraining AI agents. https://aflock.ai/. The idea is to have different data zones, and if an Agent accesses from a private zone, they should not be able to interact with the public zone.