MCP
LumeExamplesClaude Code

Sandbox Setup

Run Claude Code CLI safely in an isolated macOS VM

Run Claude Code on your host while it executes commands inside a sandboxed macOS VM via SSH. No MCP required—just the lume CLI and SSH.

Why sandbox Claude Code?

Claude Code is powerful—it can read files, run commands, install packages, and modify your system. Sometimes you want that power contained:

  • Experiment safely — Let Claude install dependencies, run builds, test scripts without touching your real system
  • Isolate risky operations — Test destructive commands, untrusted code, or experimental changes
  • Reset instantly — Clone a fresh VM to undo everything Claude did

Architecture

┌─────────────────────────────────────────────────────┐
│                Your Mac (Host)                      │
│                                                     │
│   ┌───────────────────┐    ┌───────────────────┐   │
│   │   Claude Code     │    │  ~/project        │   │
│   │   (runs here)     │    │  (shared folder)  │   │
│   └─────────┬─────────┘    └─────────┬─────────┘   │
│             │ SSH                    │ mounted     │
│   ┌─────────▼─────────────────────────▼─────────┐   │
│   │              macOS VM (Sandbox)             │   │
│   │                                             │   │
│   │  Commands execute here, isolated from host  │   │
│   │  Full macOS environment with network access │   │
│   │  Can only access /Volumes/My Shared Files   │   │
│   └─────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────┘

Step 1: Create the sandbox VM

# Create a VM with automated setup (15-20 min, no interaction needed)
lume create sandbox --os macos --ipsw latest --unattended tahoe

The tahoe preset creates user lume with password lume and enables SSH.

Step 2: Start the sandbox with your project

# Run headlessly, sharing your project folder
lume run sandbox --no-display --shared-dir ~/my-project

Inside the VM, your files appear at /Volumes/My Shared Files.

Step 3: Get the VM's IP address

lume get sandbox
# Look for the IP address in the output

Save this IP—you'll give it to Claude Code.

Step 4: Install Claude Code on your host

# macOS/Linux
curl -fsSL https://claude.ai/install.sh | bash

# Or with Homebrew
brew install --cask claude-code

See Claude Code docs for other installation methods.

Step 5: Use Claude Code with the sandbox

Now ask Claude Code to SSH into the sandbox and work there:

claude

Then tell Claude:

"SSH into lume@192.168.64.X (password: lume) and work on the project in /Volumes/My Shared Files. Install any dependencies you need, run builds, execute tests—all inside that VM."

Claude Code will:

  1. SSH into the sandbox VM
  2. Navigate to your shared project
  3. Run commands in the isolated environment
  4. Report results back to you

Claude Code runs on your host but executes commands via SSH inside the VM. Your host system stays untouched—only the sandbox and shared files are affected.

Example session

You: SSH into lume@192.168.64.5 and set up a Python project in /Volumes/My Shared Files

Claude: I'll connect to the VM and set up the project.

[Runs: ssh lume@192.168.64.5]
[Runs: cd /Volumes/My\ Shared\ Files]
[Runs: python3 -m venv venv]
[Runs: source venv/bin/activate]
[Runs: pip install -r requirements.txt]

Done! I've created a virtual environment and installed the dependencies.
The project is ready at /Volumes/My Shared Files.

All those commands ran inside the sandbox. Your host's Python, packages, and filesystem weren't touched.

Resetting the sandbox

Made a mess? Reset instantly:

# Create a golden image first (do this once, after initial setup)
lume clone sandbox sandbox-golden

# Reset to clean state anytime
lume stop sandbox
lume delete sandbox
lume clone sandbox-golden sandbox
lume run sandbox --no-display --shared-dir ~/my-project

Automating the workflow

Script the entire setup:

#!/bin/bash

PROJECT_DIR="$1"
VM_NAME="sandbox"

# Start the sandbox
lume run $VM_NAME --no-display --shared-dir "$PROJECT_DIR"
sleep 10  # Wait for boot

# Get IP
VM_IP=$(lume get $VM_NAME --format json | jq -r '.ip')

echo "Sandbox ready!"
echo "Run: claude"
echo "Then tell Claude to SSH into lume@$VM_IP"

Security considerations

The shared folder is read/write. Claude can modify or delete files in that folder. For sensitive work:

  • Share a copy of your project, not the original
  • Use git to track changes and revert if needed
  • Clone the VM before risky operations

The VM itself is fully isolated—code running inside cannot:

  • Access files outside the shared folder
  • Modify your host system
  • Read your host's environment variables or credentials

But it can:

  • Access the network
  • Install software inside the VM
  • Consume CPU/memory

Next steps

Was this page helpful?

Examples

Step-by-step tutorials and use cases for Lume

Homebrew Testing

Test Homebrew formulas in a clean, isolated macOS environment

On this page

Why sandbox Claude Code?ArchitectureStep 1: Create the sandbox VMStep 2: Start the sandbox with your projectStep 3: Get the VM's IP addressStep 4: Install Claude Code on your hostStep 5: Use Claude Code with the sandboxExample sessionResetting the sandboxAutomating the workflowSecurity considerationsNext steps