Run a coding agent (Claude, Opencode) as a dedicated, unprivileged Unix user so that it can only touch the files we explicitly hand it:
- No access to your personal files — other users' home directories, dotfiles (SSH keys, shell history, GPG keys, etc.), and, on WSL, the Windows filesystem (
/mnt/c,/mnt/d, …). - No
sudo, no package installation, no system-wide changes. - No GitHub credentials — the agent can read and write code in its own workspace, but cannot push, pull, or open PRs. A human is always in the loop for anything that leaves the machine. To let the agent handle its own branches and PRs, loosen this with a fine-grained PAT scoped to a single repo — but it then lives inside the sandbox, so prompt injection can use it up to that scope. Keep it minimal.