zhongwei/gh-djacobsmeyer-claude-skills-engineering-plugins-sandbox-manager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-29 18:22:18 +08:00
commit e53e5816bb
5 changed files with 927 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
.claude-plugin/plugin.json Normal file
View File

@@ -0,0 +1,12 @@
{
"name": "sandbox-manager",
"description": "Configure and manage Claude Code sandboxing for secure code execution. Use when user mentions sandboxing, security isolation, untrusted code, network restrictions, filesystem permissions, or wants to configure Claude Code security settings. Helps enable/disable sandbox mode, configure permissions, troubleshoot compatibility issues, and provide scenario-based configurations.",
"version": "1.0.0",
"author": {
"name": "Don Jacobsmeyer",
"email": "hello@donjacobsmeyer.com"
},
"skills": [
"./"
]
}

3
README.md Normal file
View File

@@ -0,0 +1,3 @@
# sandbox-manager
Configure and manage Claude Code sandboxing for secure code execution. Use when user mentions sandboxing, security isolation, untrusted code, network restrictions, filesystem permissions, or wants to configure Claude Code security settings. Helps enable/disable sandbox mode, configure permissions, troubleshoot compatibility issues, and provide scenario-based configurations.

395
SKILL.md Normal file
View File

@@ -0,0 +1,395 @@
---
name: sandbox-manager
description: Configure and manage Claude Code sandboxing for secure code execution. Use when user mentions sandboxing, security isolation, untrusted code, network restrictions, filesystem permissions, or wants to configure Claude Code security settings. Helps enable/disable sandbox mode, configure permissions, troubleshoot compatibility issues, and provide scenario-based configurations.
allowed-tools: Read, Write, Edit, Bash, Grep
---
# Sandbox Manager Skill
Helps users configure and manage Claude Code's sandboxing feature for secure, isolated code execution.
## Prerequisites
- Claude Code installed (Linux or macOS only - Windows not supported)
- Understanding of your project's security requirements
- Access to `.claude/settings.json` or `~/.claude/settings.json`
## When to Use Sandboxing
**Enable sandboxing when:**
- Working with untrusted or third-party code
- Testing potentially dangerous scripts
- Running unfamiliar repositories
- Need to restrict network or filesystem access
- Working in shared environments
**Skip sandboxing when:**
- Using tools incompatible with sandbox (docker, watchman)
- Need full system access for legitimate reasons
- Working with fully trusted code only
- Performance is critical and trust is established
## Workflow
### 1. Enable Sandbox Mode
To enable sandboxing for the current session:
```bash
/sandbox
```
This activates with sensible defaults:
- Read/write access to current working directory
- Read-only access to rest of filesystem (except denied locations)
- Network proxy requiring permission for new domains
### 2. Configure Sandbox Settings
Edit `.claude/settings.json` (project-level) or `~/.claude/settings.json` (global):
**Basic configuration:**
```json
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"/path/to/project",
"/path/to/data"
],
"deniedDirectories": [
"/etc",
"/var",
"~/.ssh",
"~/.aws"
],
"allowedDomains": [
"github.com",
"api.example.com",
"*.trusted-cdn.com"
]
}
}
```
### 3. Apply Scenario-Based Configuration
Choose a configuration template based on your use case (see [Configuration Templates](docs/configuration-templates.md)):
- **Web Development** - Allow npm registry, CDNs, common APIs
- **Python Data Science** - Allow PyPI, data sources, Jupyter
- **General Development** - Balanced permissions for most projects
- **High Security** - Minimal permissions for untrusted code
- **API Integration** - Specific API endpoints only
### 4. Troubleshoot Compatibility Issues
**Docker conflicts:**
- Sandboxing and Docker don't work together
- Either disable sandbox or use devcontainers instead
- Use `dangerouslyDisableSandbox: true` in tool calls if necessary
**Watchman conflicts:**
- Watchman (used by some file watchers) incompatible with sandbox
- Disable watchman or run without sandbox
**Network restrictions:**
- New domains trigger permission requests
- Add known domains to `allowedDomains` in settings
- Use wildcards for CDNs: `*.cloudfront.net`
**Permission denied errors:**
- Check if path is in `allowedDirectories`
- Ensure path isn't in `deniedDirectories`
- Use absolute paths in configuration
### 5. Verify Sandbox Status
Check if sandbox is active:
```bash
# Sandbox shows status when enabled
/sandbox
```
Test filesystem restrictions:
```bash
# Should succeed (working directory)
ls .
# May require permission (outside working directory)
ls /usr/local
```
Test network restrictions:
```bash
# Should prompt for permission (new domain)
curl https://example.com
```
## Configuration Templates
### Web Development Projects
```json
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}",
"~/.npm",
"~/.nvm",
"/tmp"
],
"allowedDomains": [
"registry.npmjs.org",
"*.npmjs.org",
"*.cloudflare.com",
"*.cloudfront.net",
"api.github.com"
]
}
}
```
### Python Data Science
```json
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}",
"~/.local/lib/python*",
"~/data",
"/tmp"
],
"allowedDomains": [
"pypi.org",
"*.pypi.org",
"files.pythonhosted.org",
"*.anaconda.org",
"raw.githubusercontent.com"
]
}
}
```
### High Security (Untrusted Code)
```json
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}/sandbox-only"
],
"deniedDirectories": [
"~/.ssh",
"~/.aws",
"~/.config",
"/etc",
"/var",
"/usr",
"/System"
],
"allowedDomains": []
}
}
```
### API Integration Projects
```json
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}",
"/tmp"
],
"allowedDomains": [
"api.stripe.com",
"api.openai.com",
"*.your-api.com"
]
}
}
```
## Key Limitations
1. **OS Support:** Linux and macOS only (no Windows support)
2. **Docker incompatibility:** Cannot use Docker commands while sandboxed
3. **Tool compatibility:** Some tools (watchman) don't work in sandbox
4. **Network filtering:** Blocks domains, but doesn't inspect traffic content
5. **Performance:** Minimal overhead but present
6. **Nested sandboxing:** Weaker protection in Docker environments (Linux)
## Best Practices
### Security
- **Always deny sensitive directories:** `~/.ssh`, `~/.aws`, `~/.config`
- **Use principle of least privilege:** Only allow necessary domains
- **Review permission requests:** Don't auto-approve without understanding
- **Test in sandbox first:** Before running untrusted code
### Configuration
- **Use wildcards carefully:** `*.cdn.com` is broad - be specific when possible
- **Project-level settings:** Use `.claude/settings.json` for project-specific needs
- **Global baseline:** Set strict defaults in `~/.claude/settings.json`
- **Document exceptions:** Comment why certain permissions are needed
### Workflow
- **Enable for new repos:** Default to sandboxed when cloning unknown code
- **Disable when needed:** Use escape hatch for trusted operations
- **Check tool compatibility:** Verify your stack works with sandbox before enabling
- **Monitor permission requests:** Track what's being accessed
## Troubleshooting Guide
### "Permission denied" when accessing project files
**Solution:** Add project directory to `allowedDirectories`:
```json
"allowedDirectories": ["${workspaceFolder}"]
```
### Network requests failing silently
**Solution:** Check Claude Code output for permission prompts, or add domains:
```json
"allowedDomains": ["api.example.com"]
```
### Docker commands not working
**Solution:** Sandboxing conflicts with Docker. Either:
- Disable sandbox for this session
- Use `dangerouslyDisableSandbox: true` in Bash tool calls
- Use devcontainers instead
### Package manager can't download dependencies
**Solution:** Add package registry to allowed domains:
```json
"allowedDomains": [
"registry.npmjs.org",
"pypi.org",
"rubygems.org"
]
```
### Tool runs outside sandbox unexpectedly
**Solution:** Check if using escape hatch. Disable in settings:
```json
{
"sandbox": {
"allowUnsandboxedCommands": false
}
}
```
## Examples
### Example 1: Enable sandbox for untrusted repository
**User:** "I cloned a repo from GitHub that I don't fully trust. Can you help me run it safely?"
**Response:**
```
I'll help you set up sandboxing for secure execution:
1. First, let me enable sandbox mode:
/sandbox
2. I'll create a restricted configuration for this untrusted code:
[Creates .claude/settings.json with high-security template]
3. This configuration:
- Restricts filesystem access to this project only
- Blocks all network access by default
- Denies access to your credentials and config files
4. When you run the code, you'll be prompted for any permission requests.
Review each carefully before approving.
Would you like me to run the project's setup now, or would you like to
review the configuration first?
```
### Example 2: Configure sandbox for web development
**User:** "I need to work on a Next.js project. How do I set up sandboxing?"
**Response:**
```
I'll configure sandboxing optimized for Next.js development:
[Edits .claude/settings.json with web development template including:]
- npm registry access
- Common CDN domains
- Your project directory
- node_modules and package cache locations
This allows:
- npm install and package downloads
- CDN resources for development
- API calls to common services
- Full access to your project files
The sandbox will still protect:
- Your SSH keys and credentials
- System configuration files
- Other projects on your machine
Sandbox is now configured. Run /sandbox to enable it for this session.
```
### Example 3: Troubleshoot Docker conflict
**User:** "I enabled sandbox but now docker commands don't work"
**Response:**
```
Docker and Claude Code's sandbox mode are incompatible. You have three options:
1. **Disable sandbox for this session** (if you trust the code):
Run commands without /sandbox enabled
2. **Use selective unsandboxing** (for specific docker commands):
I can pass dangerouslyDisableSandbox: true for docker-specific operations
3. **Use devcontainers instead** (recommended for untrusted code):
Set up a devcontainer which provides isolation + Docker access
Which approach fits your security needs?
```
### Example 4: Debug permission issues
**User:** "Sandbox keeps blocking my Python script from reading data files"
**Response:**
```
Let me help debug the permission issue:
1. First, where are your data files located?
[User provides: ~/datasets/]
2. I see the issue - your data directory isn't in allowedDirectories.
Let me update your settings:
[Edits settings.json to add ~/datasets/ to allowedDirectories]
3. The sandbox now allows:
- Read/write to your project directory
- Read/write to ~/datasets/
- Read-only to system libraries
Try running your script again. If it still fails, check for:
- Network requests (will need domain allowlist)
- Writing to /tmp (can add if needed)
- Other file locations being accessed
```
## Related Resources
- **Configuration Templates:** See [docs/configuration-templates.md](docs/configuration-templates.md)
- **Official Docs:** https://code.claude.com/docs/en/sandboxing
- **Security Best Practices:** https://code.claude.com/docs/en/security
## Version
1.0.0 - Initial release with configuration templates and troubleshooting guide

468
docs/configuration-templates.md Normal file
View File

@@ -0,0 +1,468 @@
# Sandbox Configuration Templates
Comprehensive configuration templates for different development scenarios. Copy and customize for your project's needs.
## Table of Contents
- [Web Development](#web-development)
- [Python Data Science](#python-data-science)
- [Node.js Backend](#nodejs-backend)
- [Ruby on Rails](#ruby-on-rails)
- [Go Development](#go-development)
- [Rust Development](#rust-development)
- [High Security (Untrusted Code)](#high-security-untrusted-code)
- [API Integration](#api-integration)
- [DevOps/Infrastructure](#devopsinfrastructure)
- [Mobile Development](#mobile-development)
---
## Web Development
For frontend projects using npm, yarn, or pnpm with common CDNs and APIs.
**Use case:** React, Vue, Angular, Next.js, Svelte projects
```json
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}",
"~/.npm",
"~/.nvm",
"~/.yarn",
"~/.pnpm-store",
"/tmp"
],
"deniedDirectories": [
"~/.ssh",
"~/.aws",
"~/.config/gcloud",
"/etc",
"/var"
],
"allowedDomains": [
"registry.npmjs.org",
"*.npmjs.org",
"registry.yarnpkg.com",
"*.cloudflare.com",
"*.cloudfront.net",
"cdn.jsdelivr.net",
"unpkg.com",
"fonts.googleapis.com",
"fonts.gstatic.com",
"api.github.com",
"raw.githubusercontent.com"
]
}
}
```
---
## Python Data Science
For data analysis, machine learning, and scientific computing projects.
**Use case:** Jupyter, pandas, numpy, scikit-learn, PyTorch, TensorFlow
```json
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}",
"~/.local/lib/python3.9",
"~/.local/lib/python3.10",
"~/.local/lib/python3.11",
"~/.local/lib/python3.12",
"~/data",
"~/datasets",
"~/notebooks",
"/tmp"
],
"deniedDirectories": [
"~/.ssh",
"~/.aws",
"~/.kaggle",
"/etc",
"/var"
],
"allowedDomains": [
"pypi.org",
"*.pypi.org",
"files.pythonhosted.org",
"*.anaconda.org",
"conda.anaconda.org",
"raw.githubusercontent.com",
"*.huggingface.co",
"github.com",
"*.github.io"
]
}
}
```
---
## Node.js Backend
For Express, Nest.js, or other Node.js server applications.
**Use case:** REST APIs, GraphQL servers, microservices
```json
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}",
"~/.npm",
"~/.nvm",
"/tmp",
"/var/log/app"
],
"deniedDirectories": [
"~/.ssh",
"~/.aws",
"/etc/passwd",
"/etc/shadow"
],
"allowedDomains": [
"registry.npmjs.org",
"*.npmjs.org",
"api.github.com",
"smtp.gmail.com",
"smtp.sendgrid.net",
"api.stripe.com",
"api.twilio.com",
"*.mongodb.net",
"*.amazonaws.com"
]
}
}
```
---
## Ruby on Rails
For Rails applications with bundler and common Ruby gems.
**Use case:** Rails web apps, Sinatra, Ruby scripts
```json
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}",
"~/.gem",
"~/.bundle",
"~/.rbenv",
"/tmp"
],
"deniedDirectories": [
"~/.ssh",
"~/.aws",
"/etc",
"/var"
],
"allowedDomains": [
"rubygems.org",
"*.rubygems.org",
"api.github.com",
"raw.githubusercontent.com",
"*.herokuapp.com"
]
}
}
```
---
## Go Development
For Go projects with module downloads and common tooling.
**Use case:** Go CLI tools, microservices, web servers
```json
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}",
"~/go",
"~/.cache/go-build",
"/tmp"
],
"deniedDirectories": [
"~/.ssh",
"~/.aws",
"/etc",
"/var"
],
"allowedDomains": [
"proxy.golang.org",
"sum.golang.org",
"*.golang.org",
"github.com",
"*.github.com",
"api.github.com"
]
}
}
```
---
## Rust Development
For Rust projects using cargo and crates.io.
**Use case:** Rust applications, CLI tools, system programming
```json
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}",
"~/.cargo",
"~/.rustup",
"/tmp"
],
"deniedDirectories": [
"~/.ssh",
"~/.aws",
"/etc",
"/var"
],
"allowedDomains": [
"crates.io",
"*.crates.io",
"static.crates.io",
"index.crates.io",
"github.com",
"*.github.com",
"raw.githubusercontent.com"
]
}
}
```
---
## High Security (Untrusted Code)
Minimal permissions for running untrusted or experimental code.
**Use case:** Testing third-party code, security research, code review
```json
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}/sandbox"
],
"deniedDirectories": [
"~/.ssh",
"~/.aws",
"~/.gcp",
"~/.azure",
"~/.config",
"~/.gnupg",
"/etc",
"/var",
"/usr",
"/System",
"/Library"
],
"allowedDomains": [],
"allowUnsandboxedCommands": false
}
}
```
**Notes:**
- No network access by default
- Limited to single subdirectory
- Blocks escape hatch
- Add domains only as absolutely necessary
---
## API Integration
For projects primarily making API calls to external services.
**Use case:** Integration scripts, API clients, webhooks
```json
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}",
"/tmp"
],
"deniedDirectories": [
"~/.ssh",
"~/.aws",
"~/.config"
],
"allowedDomains": [
"api.stripe.com",
"api.openai.com",
"api.anthropic.com",
"*.twilio.com",
"api.sendgrid.com",
"hooks.slack.com",
"*.googleapis.com",
"graph.microsoft.com"
]
}
}
```
**Customize:** Replace with your specific API endpoints
---
## DevOps/Infrastructure
For infrastructure-as-code and deployment scripts.
**Use case:** Terraform, Ansible, deployment automation
```json
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}",
"~/.terraform.d",
"~/.ansible",
"/tmp"
],
"deniedDirectories": [
"~/.ssh",
"~/.aws",
"~/.gcp",
"/etc/passwd"
],
"allowedDomains": [
"registry.terraform.io",
"releases.hashicorp.com",
"checkpoint-api.hashicorp.com",
"galaxy.ansible.com",
"github.com",
"*.github.com"
]
}
}
```
**Warning:** Be cautious with infrastructure code - verify before running
---
## Mobile Development
For React Native, Flutter, or mobile app development.
**Use case:** Mobile app development, cross-platform frameworks
```json
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}",
"~/.npm",
"~/.pub-cache",
"~/Android/Sdk",
"~/Library/Android",
"/tmp"
],
"deniedDirectories": [
"~/.ssh",
"~/.aws",
"/etc",
"/var"
],
"allowedDomains": [
"registry.npmjs.org",
"pub.dev",
"*.pub.dev",
"maven.google.com",
"jcenter.bintray.com",
"repo1.maven.org",
"dl.google.com"
]
}
}
```
---
## Template Variables
All templates support these variables:
- `${workspaceFolder}` - Current project directory
- `~` - User home directory
- `*` - Wildcard for domains (use carefully)
## Combining Templates
You can merge multiple templates for polyglot projects:
```json
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}",
"~/.npm",
"~/.local/lib/python3.11",
"/tmp"
],
"allowedDomains": [
"registry.npmjs.org",
"pypi.org",
"*.npmjs.org",
"*.pypi.org"
]
}
}
```
## Testing Your Configuration
After applying a template:
1. Enable sandbox: `/sandbox`
2. Test file access: `ls ${workspaceFolder}`
3. Test package install: `npm install` or `pip install`
4. Monitor permission requests in Claude Code output
5. Refine based on actual needs
## Security Checklist
Before using any template:
- [ ] Verify all `allowedDirectories` are necessary
- [ ] Confirm `deniedDirectories` includes sensitive paths
- [ ] Review each domain in `allowedDomains`
- [ ] Remove wildcards where possible
- [ ] Test with minimal permissions first
- [ ] Document why each permission is needed
---
**Last Updated:** 2025-11-14
**Version:** 1.0.0

49
plugin.lock.json Normal file
View File

@@ -0,0 +1,49 @@
{
"$schema": "internal://schemas/plugin.lock.v1.json",
"pluginId": "gh:djacobsmeyer/claude-skills-engineering:plugins/sandbox-manager",
"normalized": {
"repo": null,
"ref": "refs/tags/v20251128.0",
"commit": "7c68506fbeb606804ee9ef23f97de5b43650cc84",
"treeHash": "8c479a78735f536cf61092399c5b5fbd17a78f6f6a4bc36542e51c269f69bfcf",
"generatedAt": "2025-11-28T10:16:28.114883Z",
"toolVersion": "publish_plugins.py@0.2.0"
},
"origin": {
"remote": "git@github.com:zhongweili/42plugin-data.git",
"branch": "master",
"commit": "aa1497ed0949fd50e99e70d6324a29c5b34f9390",
"repoRoot": "/Users/zhongweili/projects/openmind/42plugin-data"
},
"manifest": {
"name": "sandbox-manager",
"description": "Configure and manage Claude Code sandboxing for secure code execution. Use when user mentions sandboxing, security isolation, untrusted code, network restrictions, filesystem permissions, or wants to configure Claude Code security settings. Helps enable/disable sandbox mode, configure permissions, troubleshoot compatibility issues, and provide scenario-based configurations.",
"version": "1.0.0"
},
"content": {
"files": [
{
"path": "README.md",
"sha256": "3fce4d366fd372b25848c1390f66b092fdd44d67266b5bbbdf3720857b5ef7cc"
},
{
"path": "SKILL.md",
"sha256": "9679046ce15125934df65e889612649d5c8ace1eda2fb183301f006efc57ecdb"
},
{
"path": "docs/configuration-templates.md",
"sha256": "4681e71b9f24e09e0b119893cc252628672bb68c60b154dd476e8a9249a556b2"
},
{
"path": ".claude-plugin/plugin.json",
"sha256": "0013221d4a1d005cf2ed2cd87a71c5048a9d81b979cf84905f7581313c738778"
}
],
"dirSha256": "8c479a78735f536cf61092399c5b5fbd17a78f6f6a4bc36542e51c269f69bfcf"
},
"security": {
"scannedAt": null,
"scannerVersion": null,
"flags": []
}
}