I believe this is also what Claude Code uses for the sandbox option.

Hi!

Yes that is correct. However, I think embedding bubblewrap in the binary is risky design for the end user.

They are giving users a convenience function for restricting the Claude instance’s access rights from within a session.

Thats helpful if you trust the client, but what if there is a bug in how the client invokes the bubblewrap container? You wouldn’t have this risk if they drove you to invoke Claude with bubblewrap.

Additionally, the pattern using bubblewrap in front of Claude can be exactly duplicated and applied to other coding agents- so you get consistency in access controls for all agents.

I hope the desirability of this having consistent access controls across all agents is shared by others. You don’t get that property if you use Claude’s embedded control. There will always be an asterisk about whether your opinion and theirs will be similar with respect to implementation of controls.