From 10d4e08bc5d18daa59ddec19a3e2bf345331ccfc Mon Sep 17 00:00:00 2001
From: main <main@swarm.moe>
Date: Mon, 23 Mar 2026 16:51:01 -0400
Subject: Externalize Claude sandboxing with systemd-run

---
 README.md | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'README.md')

diff --git a/README.md b/README.md
index 7f5eedf..74a211e 100644
--- a/README.md
+++ b/README.md
@@ -31,8 +31,13 @@ Each `consult` call runs Claude Code with:
 - no configured MCP servers (`--strict-mcp-config --mcp-config '{"mcpServers":{}}'`)
 - a read-only built-in toolset:
   - `Bash,Read,Grep,Glob,LS,WebFetch,WebSearch`
-- `--permission-mode dontAsk`, so only preapproved read-only Bash patterns can
-  execute and edit tools never appear in the session
+- `--dangerously-skip-permissions`
+- an external `systemd-run --user` sandbox instead of Claude's internal permission gate
+  - the filesystem stays globally read-only under `ProtectSystem=strict`
+  - `phone_opus` gives Claude a separate persistent home and XDG state under its own state root
+  - `/tmp` and `/var/tmp` stay writable
+  - when the consulted `cwd` sits inside a writable tree such as `/tmp/...`, that consulted tree is remounted read-only so Claude cannot accidentally edit the target repo
+- internet access remains available
 
 ## Development
 
-- 
cgit v1.2.3