← Back to patterns
build

Anthropic's Dual-Boundary Sandboxing Pattern

TRIGGER

AI coding agents that write, test, and run code need broad filesystem and network access to be useful, but this creates prompt injection attack surface—a compromised agent could steal SSH keys, exfiltrate secrets, or download malware. Permission prompts for every action slow development and cause approval fatigue where users stop reading what they're approving.

APPROACH

Anthropic's Claude Code team implemented OS-level sandboxing using Linux bubblewrap and macOS seatbelt primitives to create pre-defined boundaries. Input: agent code execution requests. Output: sandboxed execution with filesystem restricted to working directory and network routed through allowlist proxy. Filesystem isolation restricts read/write to the current working directory. Network isolation routes all traffic through a Unix domain socket to a proxy server running outside the sandbox that enforces domain allowlists and handles user confirmation for new domains. Both boundaries are configurable per-project. Result: 84% reduction in permission prompts in internal usage while maintaining security guarantees—prompt injection is contained within sandbox boundaries.

PATTERN

Filesystem sandboxing alone won't stop a compromised agent from exfiltrating your SSH keys over the network; network isolation alone won't prevent it from escaping via local files. Either boundary alone is trivially bypassable—the dual constraint is what makes agent sandboxing meaningful.

WORKS WHEN

  • Agent needs to execute arbitrary code, scripts, or spawn subprocesses as part of normal operation
  • Sensitive credentials (SSH keys, API tokens, signing keys) exist on the host system
  • Permission prompts exceed 5-10 per task, causing approval fatigue
  • OS-level isolation primitives are available (Linux namespaces, macOS sandbox-exec)
  • Agent's legitimate work can be scoped to a specific directory tree and known network hosts

FAILS WHEN

  • Agent legitimately needs access to files scattered across the filesystem (dotfiles, global configs)
  • Network access patterns are unpredictable or require connecting to arbitrary user-specified hosts
  • Target environment lacks OS-level isolation support (older kernels, restricted container runtimes)
  • Performance overhead of proxy-based network isolation exceeds latency budget for high-frequency network operations
  • Users need the agent to manage system-wide state (package managers, system services)

Stage

build

From

October 2025

Previous patternNext pattern

Want patterns like this in your inbox?

3 patterns weekly. No fluff.