Comment by johnsonjo
6 hours ago
I've been using jai [1] for sandboxing on linux (although I use opencode and local models and not claude code) and I'm pretty satisfied with it. It comes in three different modes [2]: casual mode, strict mode, and bare mode. Here's some descriptions of each mode:
Casual mode [3]: > Your home directory is mounted as a copy-on-write overlay. The jailed process sees your real files, but writes go to $HOME/.jai/default.changes instead of modifying originals, except in the directory where you ran jai. Your current working directory grants full read/write access to code in the jail (unless suppressed with -D). So files deleted there are really gone. /tmp and /var/tmp are private. The rest of the filesystem is read-only.
Strict mode [4]: > The process runs as the unprivileged jai system user, not as you. Home directory is an empty private directory at $HOME/.jai/<name>.home. Granted directories (via -d or cwd) are exposed with id-mapped mounts — files look like they are owned by jai inside the jail. Because the process has a different UID, it cannot read files outside your home directory that are only accessible to your user — this is where confidentiality comes from.
Bare mode [5]: > Home directory is an empty private directory, like strict mode. But the process runs as your user, not as jai. This means it cannot provide confidentiality — the process can still read any file accessible to your UID outside the home directory.
I've always ran my stuff in casual so far just so my whole computer doesn't get rimraffed :P. but I'm thinking of switching to just strict mode, but haven't really vibe coded in a while so I haven't tried it yet.
[1]: https://jai.scs.stanford.edu/
[2]: https://jai.scs.stanford.edu/modes.html
[3]: https://jai.scs.stanford.edu/modes.html#casual-mode
[dead]