AI coding tools (Claude Code, Codex, OpenCode, Goose, Gemini, and others) run with full access to your machine. Your project directory, sure. But also your AWS credentials, your 1Password vault, your personal documents, your browser profiles. Everything.
This had been bothering me for a while when my student, Bardia, told me back in May or June of 2025 that he was genuinely uncomfortable with Claude Code having unfettered access to his machine. He was right. I wrote the first version of scode as a rough script for my own personal use that September and have been using it daily ever since. At some point I figured I should clean it up and put it out there. As academics, we do not just write papers or make up imaginary problems. Sometimes we build things that are useful. Hopefully this is one of those.
Full access, no questions asked
AI harnesses need access to your project directory, system tools, and the network. They generally do not need access to your SSH keys, cloud credentials, browser profiles, password managers, or personal documents. Yet nothing enforces that separation in a consistent, tool-agnostic way.
These tools are not malicious, but they are powerful, operate autonomously, and make mistakes. An agent that confidently executes a wrong plan is one thing. An agent that does so with access to your cloud credentials and everything else on your machine is another.
A bash script with opinions
scode wraps any AI coding harness in an OS-level sandbox. It uses Apple's Seatbelt framework on macOS and bubblewrap on Linux, both built into the OS or easily installable. No containers, no daemons, no language runtimes. A single bash script.
It ships with two modes:
- Default mode: everything is allowed, then specific sensitive directories are denied. Practical for daily use.
- Strict mode: everything is denied, then only the essentials are allowed. Maximum lockdown.
Out of the box, scode blocks over 35 credential and personal file paths, can scrub 28+ environment variable token patterns, and handles the Chromium double-sandbox problem automatically. There are YAML config files for maintaining different security postures, an audit subcommand for reviewing what got blocked, and trust presets for quick switching between paranoid and permissive modes.
The simplest usage is just scode claude. Everything else works exactly as before.
One boundary, not five
I do not claim scode is anything groundbreaking. Seatbelt profiles, bubblewrap namespaces, path-based access control — none of this is new. Some harnesses already ship their own sandboxes. Claude Code has one. Codex CLI has one. Gemini CLI has an opt-in one. But that is part of the problem: each implements its own policy with its own defaults, its own gaps, and its own config format. Many harnesses have no OS-level isolation at all. And if you use more than one tool, as I do, you end up with a patchwork of protections you have to manage separately.
What I wanted was one boundary. One config file, one set of rules, consistent across every harness I run. No daemon, no proxy, no container — just a script that wraps the command and blocks what should be blocked. Something that works on a fresh machine with nothing installed, adds about 10 milliseconds of overhead, and ships with sane defaults out of the box: cloud credentials, password managers, personal documents, auth tokens, all blocked from the first run.
I think this kind of boundary should be the default, not the exception. We give these tools access to everything on our machines and hope they behave. Call it vibe security if you want, but it feels more like a prayer than a safety belt.
Take it for a spin
Install via Homebrew: brew install bindsch/tap/scode
Or clone from GitHub and run make install. Sorry Windows users, macOS and Linux only for now.
Important note: scode is beta software (v0.1.0), released under the MIT license. The defaults are opinionated, and I am sure there are edge cases I missed. It is a seatbelt, not an armored vehicle — meant to catch the common case of an AI tool wandering into your personal files, not a determined attacker. Bug reports, PRs, and default adjustments are all welcome.
If it makes you feel a little safer running these tools, that is enough for me.