I have sandbox-exec setup for Claude like you suggest, but I’m not sure every CLI supports it? Claude only added it a month or two ago. A wrapper CLI that allows any command to be sandboxed is pretty appealing (Claude config was not trivial).
The downside is that it requires access to more than it technically needs (Claude keys for example). I’m working on a version where you sandbox the agent’s Bash tool, not the agent itself. https://github.com/Kiln-AI/Kilntainers
I like the idea but not the MCP part.
How about using bash-tool to intercept the commands and then passing them onto the containers?
https://github.com/vercel-labs/bash-tool
That's exactly what it does -- the bash commands are passed into the containers. It also manages container lifecycle (starting on first request, cleanup on connection shutdown).
If you're using an agent tool that already includes an existing bash tool which calls host OS, just remove that one and add this.
My bad, looks like I misunderstood how bash-tool works.
Then how about running Claude Code or your harness of choice inside bubblewrap with a shim/stub for the base binary?
https://github.com/containers/bubblewrap