Tools: Sandbox Mode: YOLO Speed Meets Actual Security

The Problem ## The Solution: Sandbox Mode ## How to Use It ## Preset Configurations ## Pro Tips ## Real-World Use Case ## Conclusion Define boundaries once. Claude works freely inside them. "Can I run npm install?" [Allow] "Can I run npm test?" [Allow] "Can I read this file?" [Allow] "Can I write to this directory?" [Allow] "Can I—" [ALLOW ALREADY!] If you've used Claude Code for any serious work, you know the permission dance. It's well-intentioned — Claude asking before taking potentially risky actions keeps you in control. But when you're in the zone, those constant interruptions are productivity poison. What if you could give Claude a playground with clear walls? Let it run wild inside, while keeping the outside world safe? Claude Code's default behavior is cautiously polite. Every file write, every command execution, every system interaction prompts for permission. This is the right default for a tool that can modify your codebase. But in practice, you often know exactly what Claude should be allowed to do: Clicking [Allow] a hundred times per session isn't safety — it's theater. Real security comes from defining clear boundaries upfront, not from muscle-memory clicking. The constant interruptions also break your flow. You ask Claude to refactor a module, then spend the next five minutes babysitting permissions instead of reviewing the actual changes. Sandbox Mode lets you define a security perimeter once. Inside that perimeter, Claude operates freely. Outside, it's locked out. Activate sandbox mode with: Or start Claude Code directly in sandbox mode: You'll be prompted to configure your boundaries: Once configured, Claude works at full speed within these boundaries. No more permission popups. No more flow interruption. Just execution. Common sandbox profiles are available out of the box: This enables typical frontend development permissions: npm/yarn commands, src directory access, build tooling, etc. Minimal permissions: read-only access to most files, explicit approval for writes. Uses sandbox configuration from your project's .claude/sandbox.json: Start restrictive, expand carefully: Begin with minimal permissions. Add access as you encounter legitimate needs. It's easier to grant than to un-compromise. Use project-level sandboxes: Store sandbox configurations in .claude/sandbox.json. Every team member gets the same safe defaults. No one accidentally gives Claude access to production credentials. Separate read and write permissions: You might want Claude to read your entire codebase but only write to specific directories: Audit sandbox activity: Use /sandbox --log to see everything Claude did within the sandbox. Great for security reviews and understanding AI behavior. Temporary expansions: Need to briefly allow something outside the sandbox? Use /allow-once npm publish instead of reconfiguring everything. A developer on a large monorepo described their old workflow: "I'd ask Claude to update our component library. It needed to modify files across 15 packages, run tests, update snapshots, check types, and fix linting. Every single action required permission. I counted once: 73 permission prompts for one refactoring task. I started just clicking Allow without reading." That last sentence is the real danger. Permission fatigue leads to rubber-stamping, which defeats the entire purpose. "Now I configure the sandbox once at the start of a session. Claude refactors freely within the boundaries. I review the actual code changes instead of permission dialogs. And the config file means I can't accidentally allow something dangerous when I'm tired." Sandbox Mode is security done right. Instead of a hundred small, easily-ignored permissions, you make a few deliberate decisions about boundaries. Claude gets the freedom to work efficiently. You get peace of mind and uninterrupted flow. Define your walls. Let Claude build inside them. Tomorrow: Ever wondered if you're about to hit your usage limit mid-task? Day 28 reveals /usage — your window into Claude's consumption and how to push past the boundaries. Your sandbox config should be as deliberate as your .gitignore. What paths and commands would you include? Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse CODE_BLOCK: /sandbox Enter fullscreen mode Exit fullscreen mode CODE_BLOCK: claude --sandbox Enter fullscreen mode Exit fullscreen mode CODE_BLOCK: claude --sandbox CODE_BLOCK: claude --sandbox COMMAND_BLOCK: 🔒 Sandbox Configuration Allowed directories (read/write): > ./src, ./tests, ./docs Allowed commands: > npm *, yarn *, pnpm *, git status, git diff Blocked paths: > .env*, **/secrets/*, ~/.ssh Maximum file size: 1MB Network access: disabled Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK: 🔒 Sandbox Configuration Allowed directories (read/write): > ./src, ./tests, ./docs Allowed commands: > npm *, yarn *, pnpm *, git status, git diff Blocked paths: > .env*, **/secrets/*, ~/.ssh Maximum file size: 1MB Network access: disabled COMMAND_BLOCK: 🔒 Sandbox Configuration Allowed directories (read/write): > ./src, ./tests, ./docs Allowed commands: > npm *, yarn *, pnpm *, git status, git diff Blocked paths: > .env*, **/secrets/*, ~/.ssh Maximum file size: 1MB Network access: disabled CODE_BLOCK: /sandbox --preset frontend Enter fullscreen mode Exit fullscreen mode CODE_BLOCK: /sandbox --preset frontend CODE_BLOCK: /sandbox --preset frontend CODE_BLOCK: /sandbox --preset conservative Enter fullscreen mode Exit fullscreen mode CODE_BLOCK: /sandbox --preset conservative CODE_BLOCK: /sandbox --preset conservative CODE_BLOCK: /sandbox --preset project Enter fullscreen mode Exit fullscreen mode CODE_BLOCK: /sandbox --preset project CODE_BLOCK: /sandbox --preset project CODE_BLOCK: { "allowedPaths": ["./src", "./tests", "./scripts"], "blockedPaths": [".env*", "**/*.key", "**/credentials*"], "allowedCommands": ["npm test", "npm run build", "npm run lint"], "blockedCommands": ["rm -rf", "curl", "wget"], "networkAccess": false } Enter fullscreen mode Exit fullscreen mode CODE_BLOCK: { "allowedPaths": ["./src", "./tests", "./scripts"], "blockedPaths": [".env*", "**/*.key", "**/credentials*"], "allowedCommands": ["npm test", "npm run build", "npm run lint"], "blockedCommands": ["rm -rf", "curl", "wget"], "networkAccess": false } CODE_BLOCK: { "allowedPaths": ["./src", "./tests", "./scripts"], "blockedPaths": [".env*", "**/*.key", "**/credentials*"], "allowedCommands": ["npm test", "npm run build", "npm run lint"], "blockedCommands": ["rm -rf", "curl", "wget"], "networkAccess": false } CODE_BLOCK: { "readPaths": ["./**"], "writePaths": ["./src", "./tests"] } Enter fullscreen mode Exit fullscreen mode CODE_BLOCK: { "readPaths": ["./**"], "writePaths": ["./src", "./tests"] } CODE_BLOCK: { "readPaths": ["./**"], "writePaths": ["./src", "./tests"] } CODE_BLOCK: { "allowedPaths": ["./packages/ui/**", "./packages/shared/**"], "allowedCommands": [ "npm test -- --updateSnapshot", "npm run typecheck", "npm run lint -- --fix" ], "blockedPaths": ["**/package.json", "**/tsconfig.json"] } Enter fullscreen mode Exit fullscreen mode CODE_BLOCK: { "allowedPaths": ["./packages/ui/**", "./packages/shared/**"], "allowedCommands": [ "npm test -- --updateSnapshot", "npm run typecheck", "npm run lint -- --fix" ], "blockedPaths": ["**/package.json", "**/tsconfig.json"] } CODE_BLOCK: { "allowedPaths": ["./packages/ui/**", "./packages/shared/**"], "allowedCommands": [ "npm test -- --updateSnapshot", "npm run typecheck", "npm run lint -- --fix" ], "blockedPaths": ["**/package.json", "**/tsconfig.json"] } - "Yes, you can run any npm command" - "Yes, you can modify anything in the src/ directory" - "Yes, you can read any file in this project" - "No, don't touch my ~/.ssh folder or environment files" - Start restrictive, expand carefully: Begin with minimal permissions. Add access as you encounter legitimate needs. It's easier to grant than to un-compromise. - Use project-level sandboxes: Store sandbox configurations in .claude/sandbox.json. Every team member gets the same safe defaults. No one accidentally gives Claude access to production credentials. - Separate read and write permissions: You might want Claude to read your entire codebase but only write to specific directories: - Audit sandbox activity: Use /sandbox --log to see everything Claude did within the sandbox. Great for security reviews and understanding AI behavior. - Temporary expansions: Need to briefly allow something outside the sandbox? Use /allow-once npm publish instead of reconfiguring everything.