Copy-paste starting points. Comment-free and stripped to essentials — every line present for a reason.
The smallest possible AC config. Two mandatory lines. All access defaults to deny-all.
[sandbox] token = 'appcontainer'
sandy.exe -c minimal_ac.toml -x cmd.exe /c echo hello
Runs cmd.exe in an AppContainer with no file grants — it can read from system directories via App. Packages membership but cannot touch any user files, network, or registry. Good starting point to add [allow.*] rules incrementally.
A Python script that renames, rewrites, and deletes files in a working directory — sandboxed so a bug or runaway glob can only affect the explicitly granted folder.
[sandbox] token = 'appcontainer' workdir = 'C:\work\output' [allow.deep] execute = ['C:\Python313'] # run the interpreter + stdlib all = ['C:\work\output'] # full access to output folder only [environment] pass = ['PATH']
import pathlib, re, shutil, sys ROOT = pathlib.Path(".") # cwd = C:\work\output (from workdir) # 1. rename: strip leading digits from all .txt filenames for p in ROOT.glob("*.txt"): new_name = re.sub(r"^\d+_", "", p.name) if new_name != p.name: p.rename(ROOT / new_name) print(f"renamed: {p.name} → {new_name}") # 2. rewrite: uppercase all lines in *.log files for p in ROOT.glob("*.log"): data = p.read_text(encoding="utf-8") p.write_text(data.upper(), encoding="utf-8") print(f"uppercased: {p.name}") # 3. delete: remove all *.tmp files for p in ROOT.glob("*.tmp"): p.unlink() print(f"deleted: {p.name}") # 4. create summary (ROOT / "_summary.txt").write_text( f"processed {len(list(ROOT.iterdir()))} files\n", encoding="utf-8" ) print("done.")
sandy.exe -c mangle.toml -x C:\Python313\python.exe mangle.py
Any bug in mangle.py — a wrong glob pattern, a recursive delete, a path escape — is constrained to C:\work\output. The rest of your filesystem is kernel-protected. No --allow flag needed; protection is structural.
Smallest valid RT config. Three mandatory lines. Everything else is deny-all.
[sandbox] token = 'restricted' integrity = 'low'
sandy.exe -c minimal_rt.toml -x powershell.exe -NoProfile -Command "whoami /all"
Unlike AppContainer, Restricted Token already inherits BUILTIN\Users read access to system dirs and most of HKLM\Software — no base read grants are needed. Manual [allow.*] grants add write or execute permissions sandy doesn't have by default.
Sandboxes Claude Code CLI to a single project directory (C:\repos\snipps). Restricted Token medium — needed for named pipes (Bun/Node IPC) and interactive stdin. Inherits BUILTIN\Users read/exec, so no base grants needed: only write/delete paths are explicitly listed.
[sandbox] token = 'restricted' integrity = 'medium' workdir = 'C:\repos\snipps' [allow.deep] write = ['C:\Users\H\.claude'] # session state / cache all = ['C:\repos\snipps'] # project — full access [deny.deep] all = [ 'C:\Users\H\.codex', 'C:\Users\H\.gemini', 'C:\Users\H\.ssh', 'C:\Users\H\.ollama', 'C:\Users\H\.antigravity', 'C:\Users\H\Downloads', 'C:\Users\H\OneDrive', 'C:\store', 'C:\repos', # deny all other projects ] [privileges] named_pipes = true # Bun/Node IPC stdin = true # interactive CLI child_processes = true # Claude spawns node, git, etc. [environment] inherit = true
sandy.exe -c sandy_claude.toml -x claude.exe
Claude Code is an interactive CLI that spawns Node.js, Bun, and git — all of which use named pipes for IPC. AppContainer blocks named pipes entirely. Restricted Low would block writes to most of C:\Users\H due to Mandatory Integrity Control. Restricted Medium with explicit [deny.deep] on sensitive dirs gives Claude the process compat it needs while still hard-blocking credentials, other projects, and secrets at the kernel level.
deny.all = ['C:\repos'] blocks all access to the entire repos tree. Then allow.all = ['C:\repos\snipps'] is detected as inside a deny — Sandy automatically strips the deny ACEs from snipps and grants full access. The pipeline log shows:
PIPELINE: DENY [ALL] C:\repos → ALLOW [ALL] C:\repos\snipps ← strip deny (subtree)