marketing-shibata50/claude-code-ultimate-guide
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
claude-code-ultimate-guide/examples/config/sandbox-native.json
Florian BRUNIAUX 6910c06981 docs: add Native Sandboxing comprehensive documentation (v3.21.1) 
Integration of official Anthropic sandboxing docs (5/5 CRITICAL):

Created (5 files):
- guide/sandbox-native.md (~3K words): Complete technical reference
  * OS primitives (Seatbelt/bubblewrap), filesystem/network isolation
  * Sandbox modes, escape hatch, security limitations
  * Decision trees, config examples, troubleshooting
- docs/resource-evaluations/native-sandbox-official-docs.md (5/5 score)
- examples/config/sandbox-native.json (production config)
- examples/commands/sandbox-status.md (sandbox inspection)
- examples/hooks/bash/sandbox-validation.sh (prod validation)

Updated (5 files):
- guide/sandbox-isolation.md: Section 4 "Native Claude Code Sandbox"
  * Comparison Native vs Docker (process-level vs microVM)
  * Updated TL;DR, comparison matrix, decision tree
- guide/architecture.md: Native Sandbox sub-section in Security Model
- machine-readable/reference.yaml: +24 sandbox entries
- VERSION: 3.21.0 → 3.21.1
- README.md: Templates 100→103, Evaluations 44→45
- CHANGELOG.md: v3.21.1 entry

Closes critical security documentation gap (~1800 words missing).
Fact-checked 100%, agent-challenged (technical-writer), production-ready.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-02 20:24:17 +01:00

55 lines
1.6 KiB
JSON
Raw Blame History

{
"$schema": "https://code.claude.com/schemas/settings.json",
"description": "Native Claude Code sandbox configuration example",
"sandbox": {
"autoAllowMode": true,
"allowUnsandboxedCommands": false,
"filesystem": {
"allowedWritePaths": [
"${CWD}",
"/tmp"
],
"deniedReadPaths": [
"${HOME}/.ssh",
"${HOME}/.aws",
"${HOME}/.kube",
"${HOME}/.gnupg",
"${HOME}/.config/gcloud"
]
},
"network": {
"policy": "deny",
"allowedDomains": [
"api.anthropic.com",
"registry.npmjs.com",
"registry.yarnpkg.com",
"files.pythonhosted.org",
"pypi.org",
"github.com",
"api.github.com",
"raw.githubusercontent.com",
"objects.githubusercontent.com",
"codeload.github.com"
]
},
"excludedCommands": [
"docker",
"kubectl",
"podman",
"vagrant"
]
},
"comments": {
"autoAllowMode": "Bash commands auto-approved if sandboxed (recommended for daily dev)",
"allowUnsandboxedCommands": "Disable escape hatch for maximum security",
"allowedWritePaths": "${CWD} = current working directory. /tmp for temporary files.",
"deniedReadPaths": "Block access to credentials and sensitive configs",
"network.policy": "deny = block all, allow only specified domains (denylist mode)",
"allowedDomains": "Whitelist only trusted package registries and VCS hosts",
"excludedCommands": "Tools incompatible with sandbox - run outside (with permission prompts)"
}
}
Reference in a new issue View git blame Copy permalink