Claude Code sandbox: close the gaps before you auto-allow

Most Claude Code sandbox guides sell convenience. Fewer prompts, smoother flow, less time approving commands.

But what about the blast radius?

When an AI agent runs a command, it does not only run the command you had in mind. It runs every child process, package script, setup hook and recovery step that command sets off.

A helpful agent reads a README, installs a dependency, retries a failed setup step, and turns "get this project running" into "execute whatever this project tells me to execute."

The sandbox is a boundary, not a trust button. And the boundary only protects you to the extent you configure it.