And for the macos users, I can’t recommend nono enough. (Paying it forward, since it was here on HN that I learned about it.)
Good DX, straightforward permissions system, starts up instantly. Just remember to disable CC’s auto-updater if that’s what you’re using. My sandbox ranking: nono > lima > containers.
This nono? https://github.com/always-further/nono
> Just remember to disable CC’s auto-updater if that’s what you’re using.
Why?
Might be something specific to my and my colleagues' systems, but it breaks the TUI. It needs git authentication, which fails, and the TUI stops accepting input reliably
I’m using safe house [0] its a bash wrapper around sandbox-exec
0 https://agent-safehouse.dev/
I've just switched to lima, and cant find anything about "nono" can you post a link?
I really like lima too. It's my go-to recommendation for light VMs. But I do consider it slightly less convenient.
A good example of why is project-local .venv/ directories, which are the default with uv. With Lima, what happens is that macOS package builds get mounted into a Linux system, with potential incompatibility issues. Run uv sync inside the VM and now things are invalid on the macOS side. I wasn't able to find a way to mount the CWD except for certain subdirectories.
Another example is network filtering. Lima (understandably) doesn't offer anything here. You can set up a firewall inside the VM, but there's no guarantee your agent won't find a way to touch those rules. You can set it up outside the VM, but then you're also proxying through a MITM.
So, for the use case of running Claude Code in --dangerously-skip-permissions mode, Lima is more hassle than Nono