Running an AI coding agent on a developer workstation means handing a process that reads untrusted input ambient access to your home directory. This article documents a practical way to reduce that exposure on Linux, tested on Kubuntu 24.04 with bubblewrap 0.9.0 and Claude Code 2.1.78.
The approach has two independent layers:
- an outer bubblewrap wrapper (
claude-safe) that restricts what the Claude process can see from the moment it starts: no ambient visibility into the home directory, a stripped environment, minimal DNS plumbing; - an inner Claude Code native sandbox that applies a second boundary specifically to Bash commands and their child processes, with network prompts for hosts outside your configured allowlist.
Used together, they form a workstation-grade defense-in-depth pattern. Used separately, each still solves a narrower but useful problem.
[Read More]