Choose a sandbox environment - Claude Code Docs

Detailed Analysis

Claude Code's official documentation outlines a tiered framework for isolating its operations during coding sessions, addressing a core security concern that arises when AI agents are granted elevated or automated permissions to execute code. The documentation identifies five primary sandboxing approaches: a built-in sandboxed Bash tool, a sandbox runtime package, a preconfigured development container, custom containers, and full virtual machines, along with a hosted web option managed entirely by Anthropic. Each approach differs in the scope of what it isolates — from restricting only Bash commands and their child processes to encapsulating the entire operating system — as well as in setup complexity and whether Docker is required. The documentation draws a critical architectural distinction: only the sandboxed Bash tool operates without containing the full Claude Code process, meaning that file tools, MCP servers, and hooks remain unconstrained on the host when only that approach is used.

The documentation places particular emphasis on the relationship between permission modes and isolation boundaries, treating them as complementary rather than redundant safeguards. The `--dangerously-skip-permissions` flag, which removes per-action human review entirely, is flagged as requiring a container, VM, or sandbox runtime as a compensating control, since without review the isolation boundary becomes the sole constraint on Claude's actions. A separate "auto mode" uses a classifier to evaluate each action against the original request scope and block escalations or suspicious behaviors — but the documentation explicitly notes this classifier is not itself an isolation boundary, meaning it functions as a behavioral guardrail rather than a hard resource constraint. This layered framing reflects a mature security architecture philosophy, acknowledging that no single control is sufficient and that defense in depth remains necessary even with intelligent behavioral classifiers in place.

The introduction of the `@anthropic-ai/sandbox-runtime` package represents a notable development in how Anthropic is approaching agentic deployment at scale. By wrapping the entire Claude Code process in the same OS-level primitives — macOS Seatbelt and Linux bubblewrap — that the built-in Bash sandbox uses, the runtime extends isolation coverage to every component of a session, including third-party MCP servers and user-defined hooks that previously ran unconstrained on the host. The package is explicitly labeled a beta research preview with a potentially unstable configuration format, signaling that Anthropic regards robust agentic sandboxing as an active area of development rather than a solved problem. The documentation also addresses organizational enforcement, suggesting that standardizing sandboxed environments across developer teams is a supported use case — a consideration that points toward enterprise deployment scenarios where individual developer choices cannot be relied upon.

Broadly, this documentation reflects an industry-wide reckoning with the security implications of agentic AI systems that operate with persistent, automated, and increasingly autonomous access to computing resources. As AI coding assistants evolve from interactive suggestion tools toward agents capable of extended unattended work, the attack surface expands considerably — particularly through mechanisms like MCP servers that connect Claude to external services and tools. Anthropic's explicit guidance to run `--dangerously-skip-permissions` only inside hard isolation boundaries, and its acknowledgment that prompt-injected hostile content is a real threat vector that auto mode's classifier is designed to detect, indicates that the company is treating adversarial prompt injection as a first-class concern in agentic contexts. The tiered sandboxing architecture described here parallels similar efforts at other AI labs and cloud providers to bring traditional systems security principles — least privilege, process isolation, boundary enforcement — into environments where the executing agent is a large language model rather than deterministic software.