From 10d4e08bc5d18daa59ddec19a3e2bf345331ccfc Mon Sep 17 00:00:00 2001
From: main <main@swarm.moe>
Date: Mon, 23 Mar 2026 16:51:01 -0400
Subject: Externalize Claude sandboxing with systemd-run

---
 assets/codex-skills/phone-opus/SKILL.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'assets/codex-skills/phone-opus/SKILL.md')

diff --git a/assets/codex-skills/phone-opus/SKILL.md b/assets/codex-skills/phone-opus/SKILL.md
index 305badb..7db836a 100644
--- a/assets/codex-skills/phone-opus/SKILL.md
+++ b/assets/codex-skills/phone-opus/SKILL.md
@@ -35,7 +35,8 @@ should be taken as authoritative or final. It is a pure consultant.
 
 - Pins Claude to Opus 4.6 with max effort.
 - Prepends a fixed consult prefix before your prompt so Opus knows it is advising another model in read-only mode and should return a prioritized actionable report.
-- Uses `--permission-mode dontAsk`, so only globally preapproved read-only Bash commands can execute.
+- Uses `--dangerously-skip-permissions`, but wraps Claude in an external `systemd-run --user` sandbox.
+- The sandbox keeps the filesystem globally read-only, gives Claude a separate persistent home under phone-opus state, leaves `/tmp` and `/var/tmp` writable, and forces the consulted `cwd` read-only when that tree would otherwise be writable.
 - This surface is consultative only. Edit tools are unavailable.
 - The returned `session_id` is reusable: pass it back into a later `consult` call to continue that Claude conversation.
 - Background consults return a `job_id`; use `consult_job` to poll one job or `consult_jobs` to rediscover recent ones.
-- 
cgit v1.2.3