Autonomous-Run Safety in Claude Code: Sandboxing, Prompt-Injection Defense, and Audit Logs

Before you let Claude run unattended, you need three independent enforcement layers, because a prompt injection can change what the agent wants to do but never what the harness allows. This episode wires up the sandbox, the deny rules, and the audit trail into one locked-down headless run. Episode page & show notes Try a walking desk - stay healthy & sharp while you learn & code Act II continues. This is the gate you put up before you let Claude Code run unattended. We build three independent enforcement layers, because they fail differently, and you need all three. The three pillars Sandboxing. The native Bash sandbox (docs) enforced by the OS: Seatbelt on macOS, bubblewrap + socat on Linux/WSL2 (sudo apt-get install bubblewrap socat). Default write is the working dir only; default read is the whole computer except denied dirs, which still includes ~/.aws/credentials and ~/.ssh unless you add denyRead. Network has no domains pre-allowed; the proxy does not inspect TLS, so broad domains like github.com are exfil paths. Key knobs: failIfUnavailable, allowUnsandboxedCommands, excludedCommands, CLAUDE_CODE_SUBPROCESS_ENV_SCRUB. Permissions & modes. Evaluation is deny then ask then allow, first match wins (Permissions). dontAsk is the unattended gem (fully non-interactive). --dangerously-skip-permissions is the anti-pattern: it replaces the prompt with nothing and offers no injection protection (Permission modes). Watch the gitignore-anchor footgun: /Users/alice/file is project-relative, not absolute. Prompt-injection defense. The lethal trifecta (private data + untrusted content + exfil channel). The patched Claude Code GitHub Action attack (Microsoft, oddguan, GMO Flatt): the Read tool bypassed the Bash sandbox and leaked /proc/self/environ. Fixed in claude-code-action v1.0.94. Plus auto mode, Security, and PreToolUse hooks. Audit logs. On-disk JSONL transcripts (.claude directory, unencrypted at rest), headless --output-format json with total_cost_usd (headless), and OpenTelemetry emitting claude_code.tool_decision and claude_code.tool_result out of the box. We close with one copyable locked-down headless workflow and the primary pitfall: the silent success of --dangerously-skip-permissions. Forward pointer: blast-radius engineering, next episode. News: Fable 5 and Mythos 5 pulled under a US export-control directive; Claude Code falls back to Opus 4.8 (switch with /model). Plus the v2.1.172–2.1.176 changelog hardening: enforceAvailableModels, nested sub-agents to 5 levels, and fixed permission-path matching.