Guide to setting up a secure, sandboxed AI development environment using Arch Linux on WSL2 with Fish shell. (AI generated)

WSL2.md

Zero-Trust AI Development Environment (WSL2 CachyOS)

Audience: Experienced CachyOS/Arch WSL users. Focuses on Podman 5.x pasta networking and April 2026 agent schemas.

A high-density guide for deploying a hardened, fully sandboxed AI environment using native CachyOS packages and rootless Podman.

1. Fast Track Installation

Install agents, container stack, and crucial feature-parity dependencies.

# Container Stack & Utilities
sudo pacman -S --noconfirm podman bubblewrap socat passt wl-clipboard

# AI Agents
sudo pacman -S --noconfirm claude-code openai-codex gemini-cli
yay -S --noconfirm claude-code-seccomp

# Recommended Optional Dependencies (Feature Parity)
sudo pacman -S --noconfirm git github-cli ripgrep tmux xdg-utils

2. Hardened Environment (config.fish)

Enforce namespace isolation, network privacy, and privilege restriction.

# Gemini CLI Sandbox & Privacy
set -gx GEMINI_SANDBOX podman
set -gx GEMINI_TELEMETRY_ENABLED false
set -gx GOOGLE_API_DISABLE_TELEMETRY true

# Hardened Sandbox Flags: DNS isolation, MTU alignment, and Privilege restriction
set -gx SANDBOX_FLAGS "--userns=keep-id --net=pasta --net-property=dns=1.1.1.1 --net-property=mtu=1500 --security-opt=no-new-privileges"
set -gx SANDBOX_SET_UID_GID true

# Claude Code & General Privacy
set -gx CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC 1
set -gx CLAUDE_CODE_DISABLE_FEEDBACK_SURVEY 1
set -gx DISABLE_AUTOUPDATER 1
set -gx DISABLE_TELEMETRY 1
set -gx DISABLE_ERROR_REPORTING 1

# Infrastructure
set -gx DOCKER_HOST "unix://$XDG_RUNTIME_DIR/podman/podman.sock"
systemctl --user enable --now podman.socket

3. Agent Sandboxing Configuration

Gemini CLI (~/.gemini/settings.json)

{
  "tools": {
    "sandbox": "podman",
    "security": { "toolSandboxing": true, "allowNetwork": true },
    "sandboxNetworkAccess": true
  },
  "general": { "defaultApprovalMode": "auto_edit" }
}

Claude Code (~/.claude/settings.json)

Hardened for 2026: prevents shell escapes and implements domain allowlists.

{
  "sandbox": {
    "enabled": true,
    "autoAllowBashIfSandboxed": true,
    "allowUnsandboxedCommands": false,
    "allowedDomains": ["*.google.com", "*.github.com", "*.anthropic.com", "*.context7.com", "*.upstash.com"],
    "filesystem": {
      "allowWrite": ["./**"],
      "denyRead": ["/home/<username>/.ssh/**", "/home/<username>/.gnupg/**", "/etc/shadow"]
    }
  },
  "seccomp": {
    "bpfPath": "/usr/lib/claude-code-seccomp/unix-block.bpf",
    "applyPath": "/usr/lib/claude-code-seccomp/apply-seccomp"
  }
}

Note: Toggle sandbox status in-session using the /sandbox command.

Codex CLI (~/.codex/config.toml)

Updated 2026 Permissions Schema (v0.123.0+).

default_permissions = "workspace"
approvals_reviewer = "on-request"

[permissions.workspace.filesystem]
":root" = "read"
":project_roots" = "write"
"/tmp" = "write"

[permissions.workspace.network]
enabled = true
mode = "limited"
[permissions.workspace.network.domains]
"github.com" = "allow"
"pypi.org" = "allow"
"context7.com" = "allow"
"upstash.com" = "allow"

4. Maintenance & Troubleshooting

Task	Command / Info
First Login	env NO_BROWSER=true gemini login
Update Sandbox	podman pull us-docker.pkg.dev/gemini-code-dev/gemini-cli/sandbox:0.42.0
Cleanup	podman system prune -f (Run weekly to clear AI agent layers)
VHDX Shrink	wsl.exe --compact <distro> (Run from PowerShell for host-side compaction)
Warning	Stay off /mnt/c/. Agents require native ext4 partitions for pasta and bwrap namespaces.
Audit	ls /usr/lib/claude-code-seccomp/ (Verify .bpf presence)