claude-agent 0.2.25

Rust SDK for building AI agents with Anthropic's Claude - Direct API, no CLI dependency
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385

# Sandbox System

OS-level process isolation for secure command execution.

> For broader security features (TOCTOU-safe file operations, bash analysis, resource limits), see [Security Guide](security.md).

## Overview

```
┌─────────────────────────────────────────────────────────────┐
│                    Sandbox Architecture                      │
├─────────────────────────────────────────────────────────────┤
│                                                              │
│  ┌─────────────────────────────────────────────────────┐    │
│  │              SandboxRuntime (trait)                  │    │
│  │                                                      │    │
│  │  is_available() → bool                               │    │
│  │  apply() → Result<()>                                │    │
│  │  wrap_command(cmd) → Result<String>                  │    │
│  │  environment_vars() → HashMap                        │    │
│  └────────────────────┬─────────────────────────────────┘    │
│                       │                                      │
│          ┌────────────┴────────────┐                        │
│          ▼                         ▼                        │
│  ┌───────────────┐        ┌───────────────┐                 │
│  │ LandlockSandbox│        │SeatbeltSandbox│                 │
│  │   (Linux)     │        │   (macOS)     │                 │
│  │               │        │               │                 │
│  │ Kernel 5.13+  │        │ sandbox-exec  │                 │
│  │ LSM-based     │        │ Profile-based │                 │
│  └───────────────┘        └───────────────┘                 │
│                                                              │
└─────────────────────────────────────────────────────────────┘
```

## Platform Support

| Platform | Technology | Kernel/OS Version |
|----------|------------|-------------------|
| Linux | Landlock LSM | Kernel 5.13+ |
| macOS | Seatbelt (sandbox-exec) | All versions |
| Windows | Not supported | - |

## Quick Start

```rust
use claude_agent::security::sandbox::{Sandbox, SandboxConfig, create_sandbox};

// Simple creation
let sandbox = create_sandbox(&working_dir, true);

// With configuration
let config = SandboxConfig::new(working_dir.to_path_buf())
    .allowed_paths(vec!["/usr/local/bin".into()])
    .excluded_commands(vec!["docker".into()]);

let sandbox = Sandbox::new(config);

// Check availability
if sandbox.is_available() {
    let wrapped = sandbox.wrap_command("cargo build")?;
    // Execute wrapped command
}
```

## SandboxConfig

```rust
pub struct SandboxConfig {
    pub enabled: bool,                      // Enable sandbox
    pub auto_allow_bash_if_sandboxed: bool, // Auto-approve bash in sandbox
    pub excluded_commands: HashSet<String>, // Commands to bypass
    pub allow_unsandboxed_commands: bool,   // Allow bypass for excluded
    pub enable_weaker_nested_sandbox: bool, // Nested container support
    pub working_dir: PathBuf,               // Full access directory
    pub allowed_paths: Vec<PathBuf>,        // Read-only allowed paths
    pub denied_paths: Vec<String>,          // Blocked path patterns
    pub allowed_domains: HashSet<String>,   // Allowed network domains
    pub blocked_domains: HashSet<String>,   // Blocked network domains
    pub network: NetworkConfig,             // Network restrictions
}
```

### Configuration Options

| Option | Default | Description |
|--------|---------|-------------|
| `enabled` | `false` | Enable sandboxing |
| `auto_allow_bash_if_sandboxed` | `true` | Skip bash permission prompts when sandboxed |
| `excluded_commands` | `[]` | Commands that bypass sandbox |
| `allow_unsandboxed_commands` | `true` | Allow excluded commands to run unsandboxed |
| `enable_weaker_nested_sandbox` | `false` | Use weaker sandbox for containers |

### Builder Pattern

```rust
let config = SandboxConfig::new(PathBuf::from("/project"))
    .auto_allow_bash(true)
    .allowed_paths(vec![
        PathBuf::from("/usr/local"),
        PathBuf::from("/opt/tools"),
    ])
    .denied_paths(vec![
        "*.env".into(),
        "secrets/*".into(),
    ])
    .excluded_commands(vec![
        "docker".into(),
        "podman".into(),
    ])
    .network(NetworkConfig::proxy(Some(8080), None));
```

## NetworkConfig

```rust
pub struct NetworkConfig {
    pub allow_unix_sockets: Vec<String>,  // Allowed Unix sockets
    pub allow_local_binding: bool,        // Allow binding to localhost
    pub http_proxy_port: Option<u16>,     // HTTP proxy port
    pub socks_proxy_port: Option<u16>,    // SOCKS proxy port
}
```

### Proxy Configuration

```rust
// Force network through proxy
let network = NetworkConfig::proxy(Some(8080), Some(1080));

// Environment variables set automatically:
// HTTP_PROXY=http://127.0.0.1:8080
// HTTPS_PROXY=http://127.0.0.1:8080
// ALL_PROXY=socks5://127.0.0.1:1080
// NO_PROXY=localhost,127.0.0.1,::1

let config = SandboxConfig::new(working_dir)
    .network(network);
```

## Linux Landlock

Landlock is a Linux Security Module (LSM) available since kernel 5.13.

### How It Works

```
┌─────────────────────────────────────────┐
│          Landlock Sandbox               │
├─────────────────────────────────────────┤
│                                         │
│  1. Create ruleset                      │
│     Ruleset::default()                  │
│          │                              │
│          ▼                              │
│  2. Add filesystem rules                │
│     - Working dir: full access          │
│     - Allowed paths: read-only          │
│     - System paths: read-only           │
│          │                              │
│          ▼                              │
│  3. restrict_self()                     │
│     Process permanently sandboxed       │
│                                         │
└─────────────────────────────────────────┘
```

### Landlock ABI Versions

| ABI | Kernel | Features |
|-----|--------|----------|
| V1 | 5.13+ | Basic filesystem access |
| V2 | 5.19+ | File truncation |
| V3 | 6.2+ | File ioctl |
| V4 | 6.4+ | Network rules |

Best available ABI is auto-detected.

### Default Allowed Paths

```rust
// Read-only system paths
"/usr", "/lib", "/lib64", "/lib32",
"/bin", "/sbin", "/etc",
"/proc", "/sys", "/dev"

// Read-write temp paths
"/tmp", "/var/tmp"
```

## macOS Seatbelt

Seatbelt uses Apple's sandbox-exec with SBPL profiles.

### How It Works

```
┌─────────────────────────────────────────┐
│         Seatbelt Sandbox                │
├─────────────────────────────────────────┤
│                                         │
│  1. Generate SBPL profile               │
│     (version 1)                         │
│     (deny default)                      │
│     (allow file-read* ...)              │
│          │                              │
│          ▼                              │
│  2. Write profile to temp file          │
│     /tmp/claude-sandbox-{pid}.sb        │
│          │                              │
│          ▼                              │
│  3. Wrap command                        │
│     sandbox-exec -f profile.sb          │
│       bash -c 'original command'        │
│                                         │
└─────────────────────────────────────────┘
```

### Default Profile Rules

```lisp
;; System paths (read-only)
(allow file-read* (subpath "/usr"))
(allow file-read* (subpath "/bin"))
(allow file-read* (subpath "/Library"))
(allow file-read* (subpath "/System"))

;; Home directory tools (read-only)
(allow file-read* (subpath "~/.cargo"))
(allow file-read* (subpath "~/.rustup"))
(allow file-read* (subpath "~/.npm"))

;; Working directory (full access)
(allow file-read* file-write* file-ioctl (subpath "{working_dir}"))

;; Process execution
(allow process-exec (subpath "/bin"))
(allow process-exec (subpath "/usr/bin"))
(allow process-fork)

;; Network (configurable)
(allow network-outbound)
(allow network-outbound (remote udp "*:53"))  ;; DNS
```

## Command Wrapping

### Excluded Commands

Some commands need to bypass the sandbox:

```rust
let config = SandboxConfig::new(working_dir)
    .excluded_commands(vec![
        "docker".into(),    // Needs its own sandboxing
        "podman".into(),
        "kubectl".into(),
    ]);

// If command is excluded and allow_unsandboxed_commands is true:
sandbox.wrap_command("docker run nginx");
// Returns: "docker run nginx" (unwrapped)

// If allow_unsandboxed_commands is false:
// Returns: Error
```

### Auto-Allow Bash

When sandboxing is enabled, bash commands can be auto-approved:

```rust
let config = SandboxConfig::new(working_dir)
    .auto_allow_bash(true);

let sandbox = Sandbox::new(config);

if sandbox.should_auto_allow_bash() {
    // Skip permission prompt for bash commands
}
```

## Integration with Agent

```rust
use claude_agent::{Agent, security::sandbox::SandboxConfig};

let sandbox_config = SandboxConfig::new(project_dir.to_path_buf())
    .auto_allow_bash(true)
    .allowed_paths(vec![deps_dir]);

let agent = Agent::builder()
    .from_claude_code(".").await?
    .sandbox(sandbox_config)
    .build()
    .await?;
```

## Checking Sandbox Support

```rust
use claude_agent::security::sandbox::is_sandbox_supported;

if is_sandbox_supported() {
    println!("Sandbox available on this platform");
} else {
    println!("Sandbox not available");
}
```

## Bypass Options

```rust
// Explicit bypass (dangerouslyDisableSandbox in Bash tool)
let sandbox = Sandbox::new(config);

if sandbox.can_bypass(explicitly_requested) {
    // Run without sandbox
}
```

## Settings File

In `.claude/settings.json`:

```json
{
  "sandbox": {
    "enabled": true,
    "autoAllowBashIfSandboxed": true,
    "excludedCommands": ["docker", "kubectl"],
    "allowUnsandboxedCommands": true,
    "network": {
      "allowUnixSockets": ["~/.ssh/agent"],
      "httpProxyPort": 8080,
      "socksProxyPort": 1080
    }
  }
}
```

## Best Practices

1. **Enable in production**: Always enable sandboxing for untrusted inputs
2. **Minimal allowed paths**: Only add paths that are necessary
3. **Exclude container tools**: Docker/Podman have their own isolation
4. **Use proxy for network**: Control outbound network access
5. **Auto-allow bash**: Enable for better UX when sandboxed
6. **Test on target OS**: Sandbox behavior differs between Linux/macOS

## Troubleshooting

### Landlock Not Available

```bash
# Check kernel version
uname -r  # Needs 5.13+

# Check if Landlock is enabled
cat /sys/kernel/security/lsm | grep landlock
```

### Seatbelt Permission Denied

```bash
# Check sandbox-exec exists
ls -la /usr/bin/sandbox-exec

# Check SIP status (may affect sandbox)
csrutil status
```

### Command Fails in Sandbox

```rust
// Add the required path to allowed_paths
let config = SandboxConfig::new(working_dir)
    .allowed_paths(vec![
        PathBuf::from("/path/command/needs"),
    ]);

// Or exclude the command entirely
let config = SandboxConfig::new(working_dir)
    .excluded_commands(vec!["problematic-cmd".into()]);
```