From 2d09bf996187365e0dbf3927cd36260a95790ee8 Mon Sep 17 00:00:00 2001
From: Yeachan-Heo <hurrc04@gmail.com>
Date: Wed, 1 Apr 2026 01:14:38 +0000
Subject: [PATCH] Make sandbox isolation behavior explicit and inspectable

This adds a small runtime sandbox policy/status layer, threads
sandbox options through the bash tool, and exposes `/sandbox`
status reporting in the CLI. Linux namespace/network isolation
is best-effort and intentionally reported as requested vs active
so the feature does not overclaim guarantees on unsupported
hosts or nested container environments.

Constraint: No new dependencies for isolation support
Constraint: Must keep filesystem restriction claims honest unless hard mount isolation succeeds
Rejected: External sandbox/container wrapper | too heavy for this workspace and request
Rejected: Inline bash-only changes without shared status model | weaker testability and poorer CLI visibility
Confidence: medium
Scope-risk: moderate
Reversibility: clean
Directive: Treat this as observable best-effort isolation, not a hard security boundary, unless stronger mount enforcement is added later
Tested: cargo fmt --all; cargo clippy --workspace --all-targets --all-features -- -D warnings; cargo test --workspace
Not-tested: Manual `/sandbox` REPL run on a real nested-container host
---
 rust/crates/commands/src/lib.rs          |  16 +-
 rust/crates/runtime/src/bash.rs          | 137 ++++++++-
 rust/crates/runtime/src/config.rs        |  88 ++++++
 rust/crates/runtime/src/conversation.rs  |   8 +-
 rust/crates/runtime/src/lib.rs           |   7 +
 rust/crates/runtime/src/permissions.rs   |  11 +-
 rust/crates/runtime/src/sandbox.rs       | 364 +++++++++++++++++++++++
 rust/crates/rusty-claude-cli/src/main.rs | 101 ++++++-
 rust/crates/tools/src/lib.rs             |  10 +-
 9 files changed, 720 insertions(+), 22 deletions(-)
 create mode 100644 rust/crates/runtime/src/sandbox.rs

diff --git a/rust/crates/commands/src/lib.rs b/rust/crates/commands/src/lib.rs
index b396bb0..59fbb69 100644
--- a/rust/crates/commands/src/lib.rs
+++ b/rust/crates/commands/src/lib.rs
@@ -51,6 +51,12 @@ const SLASH_COMMAND_SPECS: &[SlashCommandSpec] = &[
         argument_hint: None,
         resume_supported: true,
     },
+    SlashCommandSpec {
+        name: "sandbox",
+        summary: "Show sandbox isolation status",
+        argument_hint: None,
+        resume_supported: true,
+    },
     SlashCommandSpec {
         name: "compact",
         summary: "Compact local session history",
@@ -135,6 +141,7 @@ const SLASH_COMMAND_SPECS: &[SlashCommandSpec] = &[
 pub enum SlashCommand {
     Help,
     Status,
+    Sandbox,
     Compact,
     Model {
         model: Option<String>,
@@ -179,6 +186,7 @@ impl SlashCommand {
         Some(match command {
             "help" => Self::Help,
             "status" => Self::Status,
+            "sandbox" => Self::Sandbox,
             "compact" => Self::Compact,
             "model" => Self::Model {
                 model: parts.next().map(ToOwned::to_owned),
@@ -279,6 +287,7 @@ pub fn handle_slash_command(
             session: session.clone(),
         }),
         SlashCommand::Status
+        | SlashCommand::Sandbox
         | SlashCommand::Model { .. }
         | SlashCommand::Permissions { .. }
         | SlashCommand::Clear { .. }
@@ -307,6 +316,7 @@ mod tests {
     fn parses_supported_slash_commands() {
         assert_eq!(SlashCommand::parse("/help"), Some(SlashCommand::Help));
         assert_eq!(SlashCommand::parse(" /status "), Some(SlashCommand::Status));
+        assert_eq!(SlashCommand::parse("/sandbox"), Some(SlashCommand::Sandbox));
         assert_eq!(
             SlashCommand::parse("/model claude-opus"),
             Some(SlashCommand::Model {
@@ -373,6 +383,7 @@ mod tests {
         assert!(help.contains("works with --resume SESSION.json"));
         assert!(help.contains("/help"));
         assert!(help.contains("/status"));
+        assert!(help.contains("/sandbox"));
         assert!(help.contains("/compact"));
         assert!(help.contains("/model [model]"));
         assert!(help.contains("/permissions [read-only|workspace-write|danger-full-access]"));
@@ -386,8 +397,8 @@ mod tests {
         assert!(help.contains("/version"));
         assert!(help.contains("/export [file]"));
         assert!(help.contains("/session [list|switch <session-id>]"));
-        assert_eq!(slash_command_specs().len(), 15);
-        assert_eq!(resume_supported_slash_commands().len(), 11);
+        assert_eq!(slash_command_specs().len(), 16);
+        assert_eq!(resume_supported_slash_commands().len(), 12);
     }
 
     #[test]
@@ -434,6 +445,7 @@ mod tests {
         let session = Session::new();
         assert!(handle_slash_command("/unknown", &session, CompactionConfig::default()).is_none());
         assert!(handle_slash_command("/status", &session, CompactionConfig::default()).is_none());
+        assert!(handle_slash_command("/sandbox", &session, CompactionConfig::default()).is_none());
         assert!(
             handle_slash_command("/model claude", &session, CompactionConfig::default()).is_none()
         );
diff --git a/rust/crates/runtime/src/bash.rs b/rust/crates/runtime/src/bash.rs
index 841068b..a159ec6 100644
--- a/rust/crates/runtime/src/bash.rs
+++ b/rust/crates/runtime/src/bash.rs
@@ -1,3 +1,4 @@
+use std::env;
 use std::io;
 use std::process::{Command, Stdio};
 use std::time::Duration;
@@ -7,6 +8,12 @@ use tokio::process::Command as TokioCommand;
 use tokio::runtime::Builder;
 use tokio::time::timeout;
 
+use crate::sandbox::{
+    build_linux_sandbox_command, resolve_sandbox_status_for_request, FilesystemIsolationMode,
+    SandboxConfig, SandboxStatus,
+};
+use crate::ConfigLoader;
+
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
 pub struct BashCommandInput {
     pub command: String,
@@ -16,6 +23,14 @@ pub struct BashCommandInput {
     pub run_in_background: Option<bool>,
     #[serde(rename = "dangerouslyDisableSandbox")]
     pub dangerously_disable_sandbox: Option<bool>,
+    #[serde(rename = "namespaceRestrictions")]
+    pub namespace_restrictions: Option<bool>,
+    #[serde(rename = "isolateNetwork")]
+    pub isolate_network: Option<bool>,
+    #[serde(rename = "filesystemMode")]
+    pub filesystem_mode: Option<FilesystemIsolationMode>,
+    #[serde(rename = "allowedMounts")]
+    pub allowed_mounts: Option<Vec<String>>,
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
@@ -45,13 +60,17 @@ pub struct BashCommandOutput {
     pub persisted_output_path: Option<String>,
     #[serde(rename = "persistedOutputSize")]
     pub persisted_output_size: Option<u64>,
+    #[serde(rename = "sandboxStatus")]
+    pub sandbox_status: Option<SandboxStatus>,
 }
 
 pub fn execute_bash(input: BashCommandInput) -> io::Result<BashCommandOutput> {
+    let cwd = env::current_dir()?;
+    let sandbox_status = sandbox_status_for_input(&input, &cwd);
+
     if input.run_in_background.unwrap_or(false) {
-        let child = Command::new("sh")
-            .arg("-lc")
-            .arg(&input.command)
+        let mut child = prepare_command(&input.command, &cwd, &sandbox_status, false);
+        let child = child
             .stdin(Stdio::null())
             .stdout(Stdio::null())
             .stderr(Stdio::null())
@@ -72,16 +91,20 @@ pub fn execute_bash(input: BashCommandInput) -> io::Result<BashCommandOutput> {
             structured_content: None,
             persisted_output_path: None,
             persisted_output_size: None,
+            sandbox_status: Some(sandbox_status),
         });
     }
 
     let runtime = Builder::new_current_thread().enable_all().build()?;
-    runtime.block_on(execute_bash_async(input))
+    runtime.block_on(execute_bash_async(input, sandbox_status, cwd))
 }
 
-async fn execute_bash_async(input: BashCommandInput) -> io::Result<BashCommandOutput> {
-    let mut command = TokioCommand::new("sh");
-    command.arg("-lc").arg(&input.command);
+async fn execute_bash_async(
+    input: BashCommandInput,
+    sandbox_status: SandboxStatus,
+    cwd: std::path::PathBuf,
+) -> io::Result<BashCommandOutput> {
+    let mut command = prepare_tokio_command(&input.command, &cwd, &sandbox_status, true);
 
     let output_result = if let Some(timeout_ms) = input.timeout {
         match timeout(Duration::from_millis(timeout_ms), command.output()).await {
@@ -102,6 +125,7 @@ async fn execute_bash_async(input: BashCommandInput) -> io::Result<BashCommandOu
                     structured_content: None,
                     persisted_output_path: None,
                     persisted_output_size: None,
+                    sandbox_status: Some(sandbox_status),
                 });
             }
         }
@@ -136,12 +160,88 @@ async fn execute_bash_async(input: BashCommandInput) -> io::Result<BashCommandOu
         structured_content: None,
         persisted_output_path: None,
         persisted_output_size: None,
+        sandbox_status: Some(sandbox_status),
     })
 }
 
+fn sandbox_status_for_input(input: &BashCommandInput, cwd: &std::path::Path) -> SandboxStatus {
+    let config = ConfigLoader::default_for(cwd).load().map_or_else(
+        |_| SandboxConfig::default(),
+        |runtime_config| runtime_config.sandbox().clone(),
+    );
+    let request = config.resolve_request(
+        input.dangerously_disable_sandbox.map(|disabled| !disabled),
+        input.namespace_restrictions,
+        input.isolate_network,
+        input.filesystem_mode,
+        input.allowed_mounts.clone(),
+    );
+    resolve_sandbox_status_for_request(&request, cwd)
+}
+
+fn prepare_command(
+    command: &str,
+    cwd: &std::path::Path,
+    sandbox_status: &SandboxStatus,
+    create_dirs: bool,
+) -> Command {
+    if create_dirs {
+        prepare_sandbox_dirs(cwd);
+    }
+
+    if let Some(launcher) = build_linux_sandbox_command(command, cwd, sandbox_status) {
+        let mut prepared = Command::new(launcher.program);
+        prepared.args(launcher.args);
+        prepared.current_dir(cwd);
+        prepared.envs(launcher.env);
+        return prepared;
+    }
+
+    let mut prepared = Command::new("sh");
+    prepared.arg("-lc").arg(command).current_dir(cwd);
+    if sandbox_status.filesystem_active {
+        prepared.env("HOME", cwd.join(".sandbox-home"));
+        prepared.env("TMPDIR", cwd.join(".sandbox-tmp"));
+    }
+    prepared
+}
+
+fn prepare_tokio_command(
+    command: &str,
+    cwd: &std::path::Path,
+    sandbox_status: &SandboxStatus,
+    create_dirs: bool,
+) -> TokioCommand {
+    if create_dirs {
+        prepare_sandbox_dirs(cwd);
+    }
+
+    if let Some(launcher) = build_linux_sandbox_command(command, cwd, sandbox_status) {
+        let mut prepared = TokioCommand::new(launcher.program);
+        prepared.args(launcher.args);
+        prepared.current_dir(cwd);
+        prepared.envs(launcher.env);
+        return prepared;
+    }
+
+    let mut prepared = TokioCommand::new("sh");
+    prepared.arg("-lc").arg(command).current_dir(cwd);
+    if sandbox_status.filesystem_active {
+        prepared.env("HOME", cwd.join(".sandbox-home"));
+        prepared.env("TMPDIR", cwd.join(".sandbox-tmp"));
+    }
+    prepared
+}
+
+fn prepare_sandbox_dirs(cwd: &std::path::Path) {
+    let _ = std::fs::create_dir_all(cwd.join(".sandbox-home"));
+    let _ = std::fs::create_dir_all(cwd.join(".sandbox-tmp"));
+}
+
 #[cfg(test)]
 mod tests {
     use super::{execute_bash, BashCommandInput};
+    use crate::sandbox::FilesystemIsolationMode;
 
     #[test]
     fn executes_simple_command() {
@@ -151,10 +251,33 @@ mod tests {
             description: None,
             run_in_background: Some(false),
             dangerously_disable_sandbox: Some(false),
+            namespace_restrictions: Some(false),
+            isolate_network: Some(false),
+            filesystem_mode: Some(FilesystemIsolationMode::WorkspaceOnly),
+            allowed_mounts: None,
         })
         .expect("bash command should execute");
 
         assert_eq!(output.stdout, "hello");
         assert!(!output.interrupted);
+        assert!(output.sandbox_status.is_some());
+    }
+
+    #[test]
+    fn disables_sandbox_when_requested() {
+        let output = execute_bash(BashCommandInput {
+            command: String::from("printf 'hello'"),
+            timeout: Some(1_000),
+            description: None,
+            run_in_background: Some(false),
+            dangerously_disable_sandbox: Some(true),
+            namespace_restrictions: None,
+            isolate_network: None,
+            filesystem_mode: None,
+            allowed_mounts: None,
+        })
+        .expect("bash command should execute");
+
+        assert!(!output.sandbox_status.expect("sandbox status").enabled);
     }
 }
diff --git a/rust/crates/runtime/src/config.rs b/rust/crates/runtime/src/config.rs
index 9ea937e..edf1144 100644
--- a/rust/crates/runtime/src/config.rs
+++ b/rust/crates/runtime/src/config.rs
@@ -4,6 +4,7 @@ use std::fs;
 use std::path::{Path, PathBuf};
 
 use crate::json::JsonValue;
+use crate::sandbox::{FilesystemIsolationMode, SandboxConfig};
 
 pub const CLAUDE_CODE_SETTINGS_SCHEMA_NAME: &str = "SettingsSchema";
 
@@ -40,6 +41,7 @@ pub struct RuntimeFeatureConfig {
     oauth: Option<OAuthConfig>,
     model: Option<String>,
     permission_mode: Option<ResolvedPermissionMode>,
+    sandbox: SandboxConfig,
 }
 
 #[derive(Debug, Clone, PartialEq, Eq, Default)]
@@ -225,6 +227,7 @@ impl ConfigLoader {
             oauth: parse_optional_oauth_config(&merged_value, "merged settings.oauth")?,
             model: parse_optional_model(&merged_value),
             permission_mode: parse_optional_permission_mode(&merged_value)?,
+            sandbox: parse_optional_sandbox_config(&merged_value)?,
         };
 
         Ok(RuntimeConfig {
@@ -289,6 +292,11 @@ impl RuntimeConfig {
     pub fn permission_mode(&self) -> Option<ResolvedPermissionMode> {
         self.feature_config.permission_mode
     }
+
+    #[must_use]
+    pub fn sandbox(&self) -> &SandboxConfig {
+        &self.feature_config.sandbox
+    }
 }
 
 impl RuntimeFeatureConfig {
@@ -311,6 +319,11 @@ impl RuntimeFeatureConfig {
     pub fn permission_mode(&self) -> Option<ResolvedPermissionMode> {
         self.permission_mode
     }
+
+    #[must_use]
+    pub fn sandbox(&self) -> &SandboxConfig {
+        &self.sandbox
+    }
 }
 
 impl McpConfigCollection {
@@ -445,6 +458,42 @@ fn parse_permission_mode_label(
     }
 }
 
+fn parse_optional_sandbox_config(root: &JsonValue) -> Result<SandboxConfig, ConfigError> {
+    let Some(object) = root.as_object() else {
+        return Ok(SandboxConfig::default());
+    };
+    let Some(sandbox_value) = object.get("sandbox") else {
+        return Ok(SandboxConfig::default());
+    };
+    let sandbox = expect_object(sandbox_value, "merged settings.sandbox")?;
+    let filesystem_mode = optional_string(sandbox, "filesystemMode", "merged settings.sandbox")?
+        .map(parse_filesystem_mode_label)
+        .transpose()?;
+    Ok(SandboxConfig {
+        enabled: optional_bool(sandbox, "enabled", "merged settings.sandbox")?,
+        namespace_restrictions: optional_bool(
+            sandbox,
+            "namespaceRestrictions",
+            "merged settings.sandbox",
+        )?,
+        network_isolation: optional_bool(sandbox, "networkIsolation", "merged settings.sandbox")?,
+        filesystem_mode,
+        allowed_mounts: optional_string_array(sandbox, "allowedMounts", "merged settings.sandbox")?
+            .unwrap_or_default(),
+    })
+}
+
+fn parse_filesystem_mode_label(value: &str) -> Result<FilesystemIsolationMode, ConfigError> {
+    match value {
+        "off" => Ok(FilesystemIsolationMode::Off),
+        "workspace-only" => Ok(FilesystemIsolationMode::WorkspaceOnly),
+        "allow-list" => Ok(FilesystemIsolationMode::AllowList),
+        other => Err(ConfigError::Parse(format!(
+            "merged settings.sandbox.filesystemMode: unsupported filesystem mode {other}"
+        ))),
+    }
+}
+
 fn parse_optional_oauth_config(
     root: &JsonValue,
     context: &str,
@@ -688,6 +737,7 @@ mod tests {
         CLAUDE_CODE_SETTINGS_SCHEMA_NAME,
     };
     use crate::json::JsonValue;
+    use crate::sandbox::FilesystemIsolationMode;
     use std::fs;
     use std::time::{SystemTime, UNIX_EPOCH};
 
@@ -792,6 +842,44 @@ mod tests {
         fs::remove_dir_all(root).expect("cleanup temp dir");
     }
 
+    #[test]
+    fn parses_sandbox_config() {
+        let root = temp_dir();
+        let cwd = root.join("project");
+        let home = root.join("home").join(".claude");
+        fs::create_dir_all(cwd.join(".claude")).expect("project config dir");
+        fs::create_dir_all(&home).expect("home config dir");
+
+        fs::write(
+            cwd.join(".claude").join("settings.local.json"),
+            r#"{
+              "sandbox": {
+                "enabled": true,
+                "namespaceRestrictions": false,
+                "networkIsolation": true,
+                "filesystemMode": "allow-list",
+                "allowedMounts": ["logs", "tmp/cache"]
+              }
+            }"#,
+        )
+        .expect("write local settings");
+
+        let loaded = ConfigLoader::new(&cwd, &home)
+            .load()
+            .expect("config should load");
+
+        assert_eq!(loaded.sandbox().enabled, Some(true));
+        assert_eq!(loaded.sandbox().namespace_restrictions, Some(false));
+        assert_eq!(loaded.sandbox().network_isolation, Some(true));
+        assert_eq!(
+            loaded.sandbox().filesystem_mode,
+            Some(FilesystemIsolationMode::AllowList)
+        );
+        assert_eq!(loaded.sandbox().allowed_mounts, vec!["logs", "tmp/cache"]);
+
+        fs::remove_dir_all(root).expect("cleanup temp dir");
+    }
+
     #[test]
     fn parses_typed_mcp_and_oauth_config() {
         let root = temp_dir();
diff --git a/rust/crates/runtime/src/conversation.rs b/rust/crates/runtime/src/conversation.rs
index 5c9ccfe..136aaa2 100644
--- a/rust/crates/runtime/src/conversation.rs
+++ b/rust/crates/runtime/src/conversation.rs
@@ -408,7 +408,7 @@ mod tests {
                 .sum::<i32>();
             Ok(total.to_string())
         });
-        let permission_policy = PermissionPolicy::new(PermissionMode::Prompt);
+        let permission_policy = PermissionPolicy::new(PermissionMode::WorkspaceWrite);
         let system_prompt = SystemPromptBuilder::new()
             .with_project_context(ProjectContext {
                 cwd: PathBuf::from("/tmp/project"),
@@ -487,7 +487,7 @@ mod tests {
             Session::new(),
             SingleCallApiClient,
             StaticToolExecutor::new(),
-            PermissionPolicy::new(PermissionMode::Prompt),
+            PermissionPolicy::new(PermissionMode::WorkspaceWrite),
             vec!["system".to_string()],
         );
 
@@ -536,7 +536,7 @@ mod tests {
             session,
             SimpleApi,
             StaticToolExecutor::new(),
-            PermissionPolicy::new(PermissionMode::Allow),
+            PermissionPolicy::new(PermissionMode::DangerFullAccess),
             vec!["system".to_string()],
         );
 
@@ -563,7 +563,7 @@ mod tests {
             Session::new(),
             SimpleApi,
             StaticToolExecutor::new(),
-            PermissionPolicy::new(PermissionMode::Allow),
+            PermissionPolicy::new(PermissionMode::DangerFullAccess),
             vec!["system".to_string()],
         );
         runtime.run_turn("a", None).expect("turn a");
diff --git a/rust/crates/runtime/src/lib.rs b/rust/crates/runtime/src/lib.rs
index a13ae2d..ac23777 100644
--- a/rust/crates/runtime/src/lib.rs
+++ b/rust/crates/runtime/src/lib.rs
@@ -12,6 +12,7 @@ mod oauth;
 mod permissions;
 mod prompt;
 mod remote;
+mod sandbox;
 mod session;
 mod usage;
 
@@ -73,6 +74,12 @@ pub use remote::{
     RemoteSessionContext, UpstreamProxyBootstrap, UpstreamProxyState, DEFAULT_REMOTE_BASE_URL,
     DEFAULT_SESSION_TOKEN_PATH, DEFAULT_SYSTEM_CA_BUNDLE, NO_PROXY_HOSTS, UPSTREAM_PROXY_ENV_KEYS,
 };
+pub use sandbox::{
+    build_linux_sandbox_command, detect_container_environment, detect_container_environment_from,
+    resolve_sandbox_status, resolve_sandbox_status_for_request, ContainerEnvironment,
+    FilesystemIsolationMode, LinuxSandboxCommand, SandboxConfig, SandboxDetectionInputs,
+    SandboxRequest, SandboxStatus,
+};
 pub use session::{ContentBlock, ConversationMessage, MessageRole, Session, SessionError};
 pub use usage::{
     format_usd, pricing_for_model, ModelPricing, TokenUsage, UsageCostEstimate, UsageTracker,
diff --git a/rust/crates/runtime/src/permissions.rs b/rust/crates/runtime/src/permissions.rs
index 919730b..bed2eab 100644
--- a/rust/crates/runtime/src/permissions.rs
+++ b/rust/crates/runtime/src/permissions.rs
@@ -5,6 +5,8 @@ pub enum PermissionMode {
     ReadOnly,
     WorkspaceWrite,
     DangerFullAccess,
+    Prompt,
+    Allow,
 }
 
 impl PermissionMode {
@@ -14,6 +16,8 @@ impl PermissionMode {
             Self::ReadOnly => "read-only",
             Self::WorkspaceWrite => "workspace-write",
             Self::DangerFullAccess => "danger-full-access",
+            Self::Prompt => "prompt",
+            Self::Allow => "allow",
         }
     }
 }
@@ -90,7 +94,7 @@ impl PermissionPolicy {
     ) -> PermissionOutcome {
         let current_mode = self.active_mode();
         let required_mode = self.required_mode_for(tool_name);
-        if current_mode >= required_mode {
+        if current_mode == PermissionMode::Allow || current_mode >= required_mode {
             return PermissionOutcome::Allow;
         }
 
@@ -101,8 +105,9 @@ impl PermissionPolicy {
             required_mode,
         };
 
-        if current_mode == PermissionMode::WorkspaceWrite
-            && required_mode == PermissionMode::DangerFullAccess
+        if current_mode == PermissionMode::Prompt
+            || (current_mode == PermissionMode::WorkspaceWrite
+                && required_mode == PermissionMode::DangerFullAccess)
         {
             return match prompter.as_mut() {
                 Some(prompter) => match prompter.decide(&request) {
diff --git a/rust/crates/runtime/src/sandbox.rs b/rust/crates/runtime/src/sandbox.rs
new file mode 100644
index 0000000..3d834ed
--- /dev/null
+++ b/rust/crates/runtime/src/sandbox.rs
@@ -0,0 +1,364 @@
+use std::env;
+use std::fs;
+use std::path::{Path, PathBuf};
+
+use serde::{Deserialize, Serialize};
+
+#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq, Default)]
+#[serde(rename_all = "kebab-case")]
+pub enum FilesystemIsolationMode {
+    Off,
+    #[default]
+    WorkspaceOnly,
+    AllowList,
+}
+
+impl FilesystemIsolationMode {
+    #[must_use]
+    pub fn as_str(self) -> &'static str {
+        match self {
+            Self::Off => "off",
+            Self::WorkspaceOnly => "workspace-only",
+            Self::AllowList => "allow-list",
+        }
+    }
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, Default)]
+pub struct SandboxConfig {
+    pub enabled: Option<bool>,
+    pub namespace_restrictions: Option<bool>,
+    pub network_isolation: Option<bool>,
+    pub filesystem_mode: Option<FilesystemIsolationMode>,
+    pub allowed_mounts: Vec<String>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, Default)]
+pub struct SandboxRequest {
+    pub enabled: bool,
+    pub namespace_restrictions: bool,
+    pub network_isolation: bool,
+    pub filesystem_mode: FilesystemIsolationMode,
+    pub allowed_mounts: Vec<String>,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, Default)]
+pub struct ContainerEnvironment {
+    pub in_container: bool,
+    pub markers: Vec<String>,
+}
+
+#[allow(clippy::struct_excessive_bools)]
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq, Default)]
+pub struct SandboxStatus {
+    pub enabled: bool,
+    pub requested: SandboxRequest,
+    pub supported: bool,
+    pub active: bool,
+    pub namespace_supported: bool,
+    pub namespace_active: bool,
+    pub network_supported: bool,
+    pub network_active: bool,
+    pub filesystem_mode: FilesystemIsolationMode,
+    pub filesystem_active: bool,
+    pub allowed_mounts: Vec<String>,
+    pub in_container: bool,
+    pub container_markers: Vec<String>,
+    pub fallback_reason: Option<String>,
+}
+
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub struct SandboxDetectionInputs<'a> {
+    pub env_pairs: Vec<(String, String)>,
+    pub dockerenv_exists: bool,
+    pub containerenv_exists: bool,
+    pub proc_1_cgroup: Option<&'a str>,
+}
+
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub struct LinuxSandboxCommand {
+    pub program: String,
+    pub args: Vec<String>,
+    pub env: Vec<(String, String)>,
+}
+
+impl SandboxConfig {
+    #[must_use]
+    pub fn resolve_request(
+        &self,
+        enabled_override: Option<bool>,
+        namespace_override: Option<bool>,
+        network_override: Option<bool>,
+        filesystem_mode_override: Option<FilesystemIsolationMode>,
+        allowed_mounts_override: Option<Vec<String>>,
+    ) -> SandboxRequest {
+        SandboxRequest {
+            enabled: enabled_override.unwrap_or(self.enabled.unwrap_or(true)),
+            namespace_restrictions: namespace_override
+                .unwrap_or(self.namespace_restrictions.unwrap_or(true)),
+            network_isolation: network_override.unwrap_or(self.network_isolation.unwrap_or(false)),
+            filesystem_mode: filesystem_mode_override
+                .or(self.filesystem_mode)
+                .unwrap_or_default(),
+            allowed_mounts: allowed_mounts_override.unwrap_or_else(|| self.allowed_mounts.clone()),
+        }
+    }
+}
+
+#[must_use]
+pub fn detect_container_environment() -> ContainerEnvironment {
+    let proc_1_cgroup = fs::read_to_string("/proc/1/cgroup").ok();
+    detect_container_environment_from(SandboxDetectionInputs {
+        env_pairs: env::vars().collect(),
+        dockerenv_exists: Path::new("/.dockerenv").exists(),
+        containerenv_exists: Path::new("/run/.containerenv").exists(),
+        proc_1_cgroup: proc_1_cgroup.as_deref(),
+    })
+}
+
+#[must_use]
+pub fn detect_container_environment_from(
+    inputs: SandboxDetectionInputs<'_>,
+) -> ContainerEnvironment {
+    let mut markers = Vec::new();
+    if inputs.dockerenv_exists {
+        markers.push("/.dockerenv".to_string());
+    }
+    if inputs.containerenv_exists {
+        markers.push("/run/.containerenv".to_string());
+    }
+    for (key, value) in inputs.env_pairs {
+        let normalized = key.to_ascii_lowercase();
+        if matches!(
+            normalized.as_str(),
+            "container" | "docker" | "podman" | "kubernetes_service_host"
+        ) && !value.is_empty()
+        {
+            markers.push(format!("env:{key}={value}"));
+        }
+    }
+    if let Some(cgroup) = inputs.proc_1_cgroup {
+        for needle in ["docker", "containerd", "kubepods", "podman", "libpod"] {
+            if cgroup.contains(needle) {
+                markers.push(format!("/proc/1/cgroup:{needle}"));
+            }
+        }
+    }
+    markers.sort();
+    markers.dedup();
+    ContainerEnvironment {
+        in_container: !markers.is_empty(),
+        markers,
+    }
+}
+
+#[must_use]
+pub fn resolve_sandbox_status(config: &SandboxConfig, cwd: &Path) -> SandboxStatus {
+    let request = config.resolve_request(None, None, None, None, None);
+    resolve_sandbox_status_for_request(&request, cwd)
+}
+
+#[must_use]
+pub fn resolve_sandbox_status_for_request(request: &SandboxRequest, cwd: &Path) -> SandboxStatus {
+    let container = detect_container_environment();
+    let namespace_supported = cfg!(target_os = "linux") && command_exists("unshare");
+    let network_supported = namespace_supported;
+    let filesystem_active =
+        request.enabled && request.filesystem_mode != FilesystemIsolationMode::Off;
+    let mut fallback_reasons = Vec::new();
+
+    if request.enabled && request.namespace_restrictions && !namespace_supported {
+        fallback_reasons
+            .push("namespace isolation unavailable (requires Linux with `unshare`)".to_string());
+    }
+    if request.enabled && request.network_isolation && !network_supported {
+        fallback_reasons
+            .push("network isolation unavailable (requires Linux with `unshare`)".to_string());
+    }
+    if request.enabled
+        && request.filesystem_mode == FilesystemIsolationMode::AllowList
+        && request.allowed_mounts.is_empty()
+    {
+        fallback_reasons
+            .push("filesystem allow-list requested without configured mounts".to_string());
+    }
+
+    let active = request.enabled
+        && (!request.namespace_restrictions || namespace_supported)
+        && (!request.network_isolation || network_supported);
+
+    let allowed_mounts = normalize_mounts(&request.allowed_mounts, cwd);
+
+    SandboxStatus {
+        enabled: request.enabled,
+        requested: request.clone(),
+        supported: namespace_supported,
+        active,
+        namespace_supported,
+        namespace_active: request.enabled && request.namespace_restrictions && namespace_supported,
+        network_supported,
+        network_active: request.enabled && request.network_isolation && network_supported,
+        filesystem_mode: request.filesystem_mode,
+        filesystem_active,
+        allowed_mounts,
+        in_container: container.in_container,
+        container_markers: container.markers,
+        fallback_reason: (!fallback_reasons.is_empty()).then(|| fallback_reasons.join("; ")),
+    }
+}
+
+#[must_use]
+pub fn build_linux_sandbox_command(
+    command: &str,
+    cwd: &Path,
+    status: &SandboxStatus,
+) -> Option<LinuxSandboxCommand> {
+    if !cfg!(target_os = "linux")
+        || !status.enabled
+        || (!status.namespace_active && !status.network_active)
+    {
+        return None;
+    }
+
+    let mut args = vec![
+        "--user".to_string(),
+        "--map-root-user".to_string(),
+        "--mount".to_string(),
+        "--ipc".to_string(),
+        "--pid".to_string(),
+        "--uts".to_string(),
+        "--fork".to_string(),
+    ];
+    if status.network_active {
+        args.push("--net".to_string());
+    }
+    args.push("sh".to_string());
+    args.push("-lc".to_string());
+    args.push(command.to_string());
+
+    let sandbox_home = cwd.join(".sandbox-home");
+    let sandbox_tmp = cwd.join(".sandbox-tmp");
+    let mut env = vec![
+        ("HOME".to_string(), sandbox_home.display().to_string()),
+        ("TMPDIR".to_string(), sandbox_tmp.display().to_string()),
+        (
+            "CLAWD_SANDBOX_FILESYSTEM_MODE".to_string(),
+            status.filesystem_mode.as_str().to_string(),
+        ),
+        (
+            "CLAWD_SANDBOX_ALLOWED_MOUNTS".to_string(),
+            status.allowed_mounts.join(":"),
+        ),
+    ];
+    if let Ok(path) = env::var("PATH") {
+        env.push(("PATH".to_string(), path));
+    }
+
+    Some(LinuxSandboxCommand {
+        program: "unshare".to_string(),
+        args,
+        env,
+    })
+}
+
+fn normalize_mounts(mounts: &[String], cwd: &Path) -> Vec<String> {
+    let cwd = cwd.to_path_buf();
+    mounts
+        .iter()
+        .map(|mount| {
+            let path = PathBuf::from(mount);
+            if path.is_absolute() {
+                path
+            } else {
+                cwd.join(path)
+            }
+        })
+        .map(|path| path.display().to_string())
+        .collect()
+}
+
+fn command_exists(command: &str) -> bool {
+    env::var_os("PATH")
+        .is_some_and(|paths| env::split_paths(&paths).any(|path| path.join(command).exists()))
+}
+
+#[cfg(test)]
+mod tests {
+    use super::{
+        build_linux_sandbox_command, detect_container_environment_from, FilesystemIsolationMode,
+        SandboxConfig, SandboxDetectionInputs,
+    };
+    use std::path::Path;
+
+    #[test]
+    fn detects_container_markers_from_multiple_sources() {
+        let detected = detect_container_environment_from(SandboxDetectionInputs {
+            env_pairs: vec![("container".to_string(), "docker".to_string())],
+            dockerenv_exists: true,
+            containerenv_exists: false,
+            proc_1_cgroup: Some("12:memory:/docker/abc"),
+        });
+
+        assert!(detected.in_container);
+        assert!(detected
+            .markers
+            .iter()
+            .any(|marker| marker == "/.dockerenv"));
+        assert!(detected
+            .markers
+            .iter()
+            .any(|marker| marker == "env:container=docker"));
+        assert!(detected
+            .markers
+            .iter()
+            .any(|marker| marker == "/proc/1/cgroup:docker"));
+    }
+
+    #[test]
+    fn resolves_request_with_overrides() {
+        let config = SandboxConfig {
+            enabled: Some(true),
+            namespace_restrictions: Some(true),
+            network_isolation: Some(false),
+            filesystem_mode: Some(FilesystemIsolationMode::WorkspaceOnly),
+            allowed_mounts: vec!["logs".to_string()],
+        };
+
+        let request = config.resolve_request(
+            Some(true),
+            Some(false),
+            Some(true),
+            Some(FilesystemIsolationMode::AllowList),
+            Some(vec!["tmp".to_string()]),
+        );
+
+        assert!(request.enabled);
+        assert!(!request.namespace_restrictions);
+        assert!(request.network_isolation);
+        assert_eq!(request.filesystem_mode, FilesystemIsolationMode::AllowList);
+        assert_eq!(request.allowed_mounts, vec!["tmp"]);
+    }
+
+    #[test]
+    fn builds_linux_launcher_with_network_flag_when_requested() {
+        let config = SandboxConfig::default();
+        let status = super::resolve_sandbox_status_for_request(
+            &config.resolve_request(
+                Some(true),
+                Some(true),
+                Some(true),
+                Some(FilesystemIsolationMode::WorkspaceOnly),
+                None,
+            ),
+            Path::new("/workspace"),
+        );
+
+        if let Some(launcher) =
+            build_linux_sandbox_command("printf hi", Path::new("/workspace"), &status)
+        {
+            assert_eq!(launcher.program, "unshare");
+            assert!(launcher.args.iter().any(|arg| arg == "--mount"));
+            assert!(launcher.args.iter().any(|arg| arg == "--net") == status.network_active);
+        }
+    }
+}
diff --git a/rust/crates/rusty-claude-cli/src/main.rs b/rust/crates/rusty-claude-cli/src/main.rs
index 47ecd98..eb5333b 100644
--- a/rust/crates/rusty-claude-cli/src/main.rs
+++ b/rust/crates/rusty-claude-cli/src/main.rs
@@ -23,8 +23,8 @@ use compat_harness::{extract_manifest, UpstreamPaths};
 use render::{Spinner, TerminalRenderer};
 use runtime::{
     clear_oauth_credentials, generate_pkce_pair, generate_state, load_system_prompt,
-    parse_oauth_callback_request_target, save_oauth_credentials, ApiClient, ApiRequest,
-    AssistantEvent, CompactionConfig, ConfigLoader, ConfigSource, ContentBlock,
+    parse_oauth_callback_request_target, resolve_sandbox_status, save_oauth_credentials, ApiClient,
+    ApiRequest, AssistantEvent, CompactionConfig, ConfigLoader, ConfigSource, ContentBlock,
     ConversationMessage, ConversationRuntime, MessageRole, OAuthAuthorizationRequest,
     OAuthTokenExchangeRequest, PermissionMode, PermissionPolicy, ProjectContext, RuntimeError,
     Session, TokenUsage, ToolError, ToolExecutor, UsageTracker,
@@ -591,6 +591,7 @@ struct StatusContext {
     memory_file_count: usize,
     project_root: Option<PathBuf>,
     git_branch: Option<String>,
+    sandbox_status: runtime::SandboxStatus,
 }
 
 #[derive(Debug, Clone, Copy)]
@@ -840,6 +841,18 @@ fn run_resume_command(
                 )),
             })
         }
+        SlashCommand::Sandbox => {
+            let cwd = env::current_dir()?;
+            let loader = ConfigLoader::default_for(&cwd);
+            let runtime_config = loader.load()?;
+            Ok(ResumeCommandOutcome {
+                session: session.clone(),
+                message: Some(format_sandbox_report(&resolve_sandbox_status(
+                    runtime_config.sandbox(),
+                    &cwd,
+                ))),
+            })
+        }
         SlashCommand::Cost => {
             let usage = UsageTracker::from_session(session).cumulative_usage();
             Ok(ResumeCommandOutcome {
@@ -1091,6 +1104,10 @@ impl LiveCli {
                 self.print_status();
                 false
             }
+            SlashCommand::Sandbox => {
+                Self::print_sandbox_status();
+                false
+            }
             SlashCommand::Compact => {
                 self.compact()?;
                 false
@@ -1162,6 +1179,18 @@ impl LiveCli {
         );
     }
 
+    fn print_sandbox_status() {
+        let cwd = env::current_dir().expect("current dir");
+        let loader = ConfigLoader::default_for(&cwd);
+        let runtime_config = loader
+            .load()
+            .unwrap_or_else(|_| runtime::RuntimeConfig::empty());
+        println!(
+            "{}",
+            format_sandbox_report(&resolve_sandbox_status(runtime_config.sandbox(), &cwd))
+        );
+    }
+
     fn set_model(&mut self, model: Option<String>) -> Result<bool, Box<dyn std::error::Error>> {
         let Some(model) = model else {
             println!(
@@ -1537,6 +1566,7 @@ fn status_context(
     let project_context = ProjectContext::discover_with_git(&cwd, DEFAULT_DATE)?;
     let (project_root, git_branch) =
         parse_git_status_metadata(project_context.git_status.as_deref());
+    let sandbox_status = resolve_sandbox_status(runtime_config.sandbox(), &cwd);
     Ok(StatusContext {
         cwd,
         session_path: session_path.map(Path::to_path_buf),
@@ -1545,6 +1575,7 @@ fn status_context(
         memory_file_count: project_context.instruction_files.len(),
         project_root,
         git_branch,
+        sandbox_status,
     })
 }
 
@@ -1597,6 +1628,7 @@ fn format_status_report(
             context.discovered_config_files,
             context.memory_file_count,
         ),
+        format_sandbox_report(&context.sandbox_status),
     ]
     .join(
         "
@@ -1605,6 +1637,49 @@ fn format_status_report(
     )
 }
 
+fn format_sandbox_report(status: &runtime::SandboxStatus) -> String {
+    format!(
+        "Sandbox
+  Enabled           {}
+  Active            {}
+  Supported         {}
+  In container      {}
+  Requested ns      {}
+  Active ns         {}
+  Requested net     {}
+  Active net        {}
+  Filesystem mode   {}
+  Filesystem active {}
+  Allowed mounts    {}
+  Markers           {}
+  Fallback reason   {}",
+        status.enabled,
+        status.active,
+        status.supported,
+        status.in_container,
+        status.requested.namespace_restrictions,
+        status.namespace_active,
+        status.requested.network_isolation,
+        status.network_active,
+        status.filesystem_mode.as_str(),
+        status.filesystem_active,
+        if status.allowed_mounts.is_empty() {
+            "<none>".to_string()
+        } else {
+            status.allowed_mounts.join(", ")
+        },
+        if status.container_markers.is_empty() {
+            "<none>".to_string()
+        } else {
+            status.container_markers.join(", ")
+        },
+        status
+            .fallback_reason
+            .clone()
+            .unwrap_or_else(|| "<none>".to_string()),
+    )
+}
+
 fn render_config_report(section: Option<&str>) -> Result<String, Box<dyn std::error::Error>> {
     let cwd = env::current_dir()?;
     let loader = ConfigLoader::default_for(&cwd);
@@ -2601,6 +2676,7 @@ mod tests {
         assert!(help.contains("REPL"));
         assert!(help.contains("/help"));
         assert!(help.contains("/status"));
+        assert!(help.contains("/sandbox"));
         assert!(help.contains("/model [model]"));
         assert!(help.contains("/permissions [read-only|workspace-write|danger-full-access]"));
         assert!(help.contains("/clear [--confirm]"));
@@ -2625,8 +2701,8 @@ mod tests {
         assert_eq!(
             names,
             vec![
-                "help", "status", "compact", "clear", "cost", "config", "memory", "init", "diff",
-                "version", "export",
+                "help", "status", "sandbox", "compact", "clear", "cost", "config", "memory",
+                "init", "diff", "version", "export",
             ]
         );
     }
@@ -2744,6 +2820,7 @@ mod tests {
                 memory_file_count: 4,
                 project_root: Some(PathBuf::from("/tmp")),
                 git_branch: Some("main".to_string()),
+                sandbox_status: runtime::SandboxStatus::default(),
             },
         );
         assert!(status.contains("Status"));
@@ -2797,7 +2874,7 @@ mod tests {
     fn status_context_reads_real_workspace_metadata() {
         let context = status_context(None).expect("status context should load");
         assert!(context.cwd.is_absolute());
-        assert_eq!(context.discovered_config_files, 3);
+        assert_eq!(context.discovered_config_files, 5);
         assert!(context.loaded_config_files <= context.discovered_config_files);
     }
 
@@ -2905,3 +2982,17 @@ mod tests {
         assert!(done.contains("contents"));
     }
 }
+
+#[cfg(test)]
+mod sandbox_report_tests {
+    use super::format_sandbox_report;
+
+    #[test]
+    fn sandbox_report_renders_expected_fields() {
+        let report = format_sandbox_report(&runtime::SandboxStatus::default());
+        assert!(report.contains("Sandbox"));
+        assert!(report.contains("Enabled"));
+        assert!(report.contains("Filesystem mode"));
+        assert!(report.contains("Fallback reason"));
+    }
+}
diff --git a/rust/crates/tools/src/lib.rs b/rust/crates/tools/src/lib.rs
index 2182b05..30a09c5 100644
--- a/rust/crates/tools/src/lib.rs
+++ b/rust/crates/tools/src/lib.rs
@@ -62,7 +62,11 @@ pub fn mvp_tool_specs() -> Vec<ToolSpec> {
                     "timeout": { "type": "integer", "minimum": 1 },
                     "description": { "type": "string" },
                     "run_in_background": { "type": "boolean" },
-                    "dangerouslyDisableSandbox": { "type": "boolean" }
+                    "dangerouslyDisableSandbox": { "type": "boolean" },
+                    "namespaceRestrictions": { "type": "boolean" },
+                    "isolateNetwork": { "type": "boolean" },
+                    "filesystemMode": { "type": "string", "enum": ["off", "workspace-only", "allow-list"] },
+                    "allowedMounts": { "type": "array", "items": { "type": "string" } }
                 },
                 "required": ["command"],
                 "additionalProperties": false
@@ -2214,6 +2218,7 @@ fn execute_shell_command(
             structured_content: None,
             persisted_output_path: None,
             persisted_output_size: None,
+            sandbox_status: None,
         });
     }
 
@@ -2251,6 +2256,7 @@ fn execute_shell_command(
                     structured_content: None,
                     persisted_output_path: None,
                     persisted_output_size: None,
+                    sandbox_status: None,
                 });
             }
             if started.elapsed() >= Duration::from_millis(timeout_ms) {
@@ -2281,6 +2287,7 @@ Command exceeded timeout of {timeout_ms} ms",
                     structured_content: None,
                     persisted_output_path: None,
                     persisted_output_size: None,
+                    sandbox_status: None,
                 });
             }
             std::thread::sleep(Duration::from_millis(10));
@@ -2307,6 +2314,7 @@ Command exceeded timeout of {timeout_ms} ms",
         structured_content: None,
         persisted_output_path: None,
         persisted_output_size: None,
+        sandbox_status: None,
     })
 }