diff options
| author | main <main@swarm.moe> | 2026-03-23 16:51:01 -0400 |
|---|---|---|
| committer | main <main@swarm.moe> | 2026-03-23 16:51:01 -0400 |
| commit | 10d4e08bc5d18daa59ddec19a3e2bf345331ccfc (patch) | |
| tree | e0a702e4abff8059dfc7a72bbef599e1e79f896b /README.md | |
| parent | c3ad44cf3ec3bcd080f62c19d915ac1749576302 (diff) | |
| download | phone_opus-10d4e08bc5d18daa59ddec19a3e2bf345331ccfc.zip | |
Externalize Claude sandboxing with systemd-run
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 9 |
1 files changed, 7 insertions, 2 deletions
@@ -31,8 +31,13 @@ Each `consult` call runs Claude Code with: - no configured MCP servers (`--strict-mcp-config --mcp-config '{"mcpServers":{}}'`) - a read-only built-in toolset: - `Bash,Read,Grep,Glob,LS,WebFetch,WebSearch` -- `--permission-mode dontAsk`, so only preapproved read-only Bash patterns can - execute and edit tools never appear in the session +- `--dangerously-skip-permissions` +- an external `systemd-run --user` sandbox instead of Claude's internal permission gate + - the filesystem stays globally read-only under `ProtectSystem=strict` + - `phone_opus` gives Claude a separate persistent home and XDG state under its own state root + - `/tmp` and `/var/tmp` stay writable + - when the consulted `cwd` sits inside a writable tree such as `/tmp/...`, that consulted tree is remounted read-only so Claude cannot accidentally edit the target repo +- internet access remains available ## Development |