Original Reddit post

I’m interested in how regular Claude Code users isolate it from their main machine and protect themselves against destructive commands. I’ve seen a few different approaches: Using pre- and post-tool hooks to detect or block destructive commands. (my current approach with manual review & approvals of commands) Pushing code to GitHub and relying on Claude Code’s cloud execution environment. Running Claude Code on a dedicated secondary device. Using Docker containers or a Linux virtual machine (on device or on server). My goal is to shift further towards auto-mode while minimising risk to my device; I don’t mind losing project work as I can version control via git with backups. I’m particularly interested in how people handle this on macOS on their main device. What setup are you using, and what trade-offs have you found? I’d appreciate detailed replies. EDIT: Given how the discussion is evolving, I’d like to hear ppls approach to sandboxing submitted by /u/nearlynarik

Originally posted by u/nearlynarik on r/ClaudeCode