8.5 KiB
Sandbox Configuration Templates
Comprehensive configuration templates for different development scenarios. Copy and customize for your project's needs.
Table of Contents
- Web Development
- Python Data Science
- Node.js Backend
- Ruby on Rails
- Go Development
- Rust Development
- High Security (Untrusted Code)
- API Integration
- DevOps/Infrastructure
- Mobile Development
Web Development
For frontend projects using npm, yarn, or pnpm with common CDNs and APIs.
Use case: React, Vue, Angular, Next.js, Svelte projects
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}",
"~/.npm",
"~/.nvm",
"~/.yarn",
"~/.pnpm-store",
"/tmp"
],
"deniedDirectories": [
"~/.ssh",
"~/.aws",
"~/.config/gcloud",
"/etc",
"/var"
],
"allowedDomains": [
"registry.npmjs.org",
"*.npmjs.org",
"registry.yarnpkg.com",
"*.cloudflare.com",
"*.cloudfront.net",
"cdn.jsdelivr.net",
"unpkg.com",
"fonts.googleapis.com",
"fonts.gstatic.com",
"api.github.com",
"raw.githubusercontent.com"
]
}
}
Python Data Science
For data analysis, machine learning, and scientific computing projects.
Use case: Jupyter, pandas, numpy, scikit-learn, PyTorch, TensorFlow
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}",
"~/.local/lib/python3.9",
"~/.local/lib/python3.10",
"~/.local/lib/python3.11",
"~/.local/lib/python3.12",
"~/data",
"~/datasets",
"~/notebooks",
"/tmp"
],
"deniedDirectories": [
"~/.ssh",
"~/.aws",
"~/.kaggle",
"/etc",
"/var"
],
"allowedDomains": [
"pypi.org",
"*.pypi.org",
"files.pythonhosted.org",
"*.anaconda.org",
"conda.anaconda.org",
"raw.githubusercontent.com",
"*.huggingface.co",
"github.com",
"*.github.io"
]
}
}
Node.js Backend
For Express, Nest.js, or other Node.js server applications.
Use case: REST APIs, GraphQL servers, microservices
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}",
"~/.npm",
"~/.nvm",
"/tmp",
"/var/log/app"
],
"deniedDirectories": [
"~/.ssh",
"~/.aws",
"/etc/passwd",
"/etc/shadow"
],
"allowedDomains": [
"registry.npmjs.org",
"*.npmjs.org",
"api.github.com",
"smtp.gmail.com",
"smtp.sendgrid.net",
"api.stripe.com",
"api.twilio.com",
"*.mongodb.net",
"*.amazonaws.com"
]
}
}
Ruby on Rails
For Rails applications with bundler and common Ruby gems.
Use case: Rails web apps, Sinatra, Ruby scripts
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}",
"~/.gem",
"~/.bundle",
"~/.rbenv",
"/tmp"
],
"deniedDirectories": [
"~/.ssh",
"~/.aws",
"/etc",
"/var"
],
"allowedDomains": [
"rubygems.org",
"*.rubygems.org",
"api.github.com",
"raw.githubusercontent.com",
"*.herokuapp.com"
]
}
}
Go Development
For Go projects with module downloads and common tooling.
Use case: Go CLI tools, microservices, web servers
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}",
"~/go",
"~/.cache/go-build",
"/tmp"
],
"deniedDirectories": [
"~/.ssh",
"~/.aws",
"/etc",
"/var"
],
"allowedDomains": [
"proxy.golang.org",
"sum.golang.org",
"*.golang.org",
"github.com",
"*.github.com",
"api.github.com"
]
}
}
Rust Development
For Rust projects using cargo and crates.io.
Use case: Rust applications, CLI tools, system programming
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}",
"~/.cargo",
"~/.rustup",
"/tmp"
],
"deniedDirectories": [
"~/.ssh",
"~/.aws",
"/etc",
"/var"
],
"allowedDomains": [
"crates.io",
"*.crates.io",
"static.crates.io",
"index.crates.io",
"github.com",
"*.github.com",
"raw.githubusercontent.com"
]
}
}
High Security (Untrusted Code)
Minimal permissions for running untrusted or experimental code.
Use case: Testing third-party code, security research, code review
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}/sandbox"
],
"deniedDirectories": [
"~/.ssh",
"~/.aws",
"~/.gcp",
"~/.azure",
"~/.config",
"~/.gnupg",
"/etc",
"/var",
"/usr",
"/System",
"/Library"
],
"allowedDomains": [],
"allowUnsandboxedCommands": false
}
}
Notes:
- No network access by default
- Limited to single subdirectory
- Blocks escape hatch
- Add domains only as absolutely necessary
API Integration
For projects primarily making API calls to external services.
Use case: Integration scripts, API clients, webhooks
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}",
"/tmp"
],
"deniedDirectories": [
"~/.ssh",
"~/.aws",
"~/.config"
],
"allowedDomains": [
"api.stripe.com",
"api.openai.com",
"api.anthropic.com",
"*.twilio.com",
"api.sendgrid.com",
"hooks.slack.com",
"*.googleapis.com",
"graph.microsoft.com"
]
}
}
Customize: Replace with your specific API endpoints
DevOps/Infrastructure
For infrastructure-as-code and deployment scripts.
Use case: Terraform, Ansible, deployment automation
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}",
"~/.terraform.d",
"~/.ansible",
"/tmp"
],
"deniedDirectories": [
"~/.ssh",
"~/.aws",
"~/.gcp",
"/etc/passwd"
],
"allowedDomains": [
"registry.terraform.io",
"releases.hashicorp.com",
"checkpoint-api.hashicorp.com",
"galaxy.ansible.com",
"github.com",
"*.github.com"
]
}
}
Warning: Be cautious with infrastructure code - verify before running
Mobile Development
For React Native, Flutter, or mobile app development.
Use case: Mobile app development, cross-platform frameworks
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}",
"~/.npm",
"~/.pub-cache",
"~/Android/Sdk",
"~/Library/Android",
"/tmp"
],
"deniedDirectories": [
"~/.ssh",
"~/.aws",
"/etc",
"/var"
],
"allowedDomains": [
"registry.npmjs.org",
"pub.dev",
"*.pub.dev",
"maven.google.com",
"jcenter.bintray.com",
"repo1.maven.org",
"dl.google.com"
]
}
}
Template Variables
All templates support these variables:
${workspaceFolder}- Current project directory~- User home directory*- Wildcard for domains (use carefully)
Combining Templates
You can merge multiple templates for polyglot projects:
{
"sandbox": {
"enabled": true,
"allowedDirectories": [
"${workspaceFolder}",
"~/.npm",
"~/.local/lib/python3.11",
"/tmp"
],
"allowedDomains": [
"registry.npmjs.org",
"pypi.org",
"*.npmjs.org",
"*.pypi.org"
]
}
}
Testing Your Configuration
After applying a template:
- Enable sandbox:
/sandbox - Test file access:
ls ${workspaceFolder} - Test package install:
npm installorpip install - Monitor permission requests in Claude Code output
- Refine based on actual needs
Security Checklist
Before using any template:
- Verify all
allowedDirectoriesare necessary - Confirm
deniedDirectoriesincludes sensitive paths - Review each domain in
allowedDomains - Remove wildcards where possible
- Test with minimal permissions first
- Document why each permission is needed
Last Updated: 2025-11-14 Version: 1.0.0