Three weeks ago, I published a sandbox to keep the AI somewhat in check. The built-in safeguards that Claude Code offers, for example, seemed untrustworthy to me, since they could usually be overridden by my instructions to the app. On top of that, I had a very uneasy feeling because sensitive information like SSH keys or project-specific confidential data in .env.local wasn’t inherently protected from the tools’ access.
When I looked around at the available options, most of them seemed quite complex or restricted my workflow — for example, working inside a Docker environment. I had something in mind that would be as simple as using .gitignore. So I got straight to work — ironically with the AI — building a cage for it.
We decided to use Apple’s macOS sandbox functionality. In principle, the restrictions I had specified in .bxignore simply needed to be translated into sandbox instructions. One feature that was important to me was the ability to also protect my development environment, since sensitive operations usually happen within the IDE — in my case, Visual Studio Code.
It quickly became clear that the ignore file alone wasn’t enough. I added a configuration that could accommodate the specifics of each application being used. This also allowed me to grant access to multiple directories, so I could work on several projects simultaneously. For this reason, I introduced a ~/.bxconfig.toml.
I can now type bx projects to launch my development environment. Visual Studio Code opens with access to my projects. Within those projects, all sensitive data is protected by .bxignore. On top of that, a global baseline configuration protects areas like .ssh and other sensitive locations. Neither the IDE nor the tools invoked within it — such as Claude Code — can access this data.
After a while, I decided to use Visual Studio Code exclusively for AI work and installed the more open VSCodium alongside it for everything I didn’t want to do with AI, because it’s really hard to fully “clean up” VSCode.
Of course, none of this provides 100% security, but it doesn’t have to. It offers enough protection to not feel completely exposed, and it barely restricts the usual workflows. For me personally, it’s a great fit, and I’d be happy if others found it useful too.
Give it a try:
brew install holtwick/tap/bx Codeberg holtwick/bx-mac GitHub holtwick/bx-mac
Published on April 16, 2026