[h45x1]

I might be misjudging the security risks, but I can't see myself running Claude Code with full access to my work machine, simply relying on its built-in sandboxes and permission systems. For a long time I simply ran it under QEMU, but that proved less convenient than desired. So, recently I put together a Bash wrapper around bwrap and pasta for sandboxing Claude Code. And while I was at it, I also organized a per-project split for Claude config files, so that sessions, say, and certain other files are always project-specific and there is no possible cross-contamination between projects. Sharing, for it proved non-trivial to run bwrap and pasta together: bwrap creates nested namespaces and so one needs to switch namespaces as well before pasta can be attached to bwrap. Now I can just do `jail project-folder` and then `claude`. The wrapper is for Arch, other distros might need some path adjustments.