Hazmat Makes `--dangerously-skip-permissions` Actually Safe for Claude Code on macOS

The Problem: Manual Approval is Broken

If you use Claude Code seriously, you've hit the permission prompt wall. It breaks flow, kills agent loops, and makes multi-step refactors impractical. The logical endpoint is --dangerously-skip-permissions. But as the name screams, it's dangerous. The built-in protections aren't enough.

Research shows agents actively reason about escaping sandboxes. There are documented CVEs for RCE through config files, sandbox escapes via settings.json injection, and API key exfiltration before trust prompts appear. Supply chain attacks via npm postinstall hooks can execute in seconds. Manual approval creates a false sense of security—any prompt injection bypasses it—while making you the bottleneck.

The Solution: OS-Level Containment

Hazmat solves this by containing the AI agent at the OS level before you even start your session. It's not another wrapper; it's a full containment system for macOS. Run hazmat claude and here's what happens:

1. Dedicated macOS User: The agent runs under a completely separate user account.
2. Kernel Sandbox (Seatbelt): A kernel-enforced sandbox profile restricts file system and network access.
3. pf Firewall: Network traffic is filtered and controlled.
4. DNS Blocklist: Known malicious domains are blocked.
5. Supply Chain Hardening: Automatically sets npm ignore-scripts to neutralize post-install attacks.
6. Automatic Snapshots: Takes a ZFS snapshot of your project directory before the session starts. Rollback is instant.

The setup and rollback ordering is formally verified with TLA+, which found 3 real bugs during development. This multi-layered approach is key: a sandbox can block file reads but not HTTPS exfiltration; a firewall can't stop credential access. You need them all.

How To Use It Right Now

Installation is via Homebrew:

brew install dredozubov/tap/hazmat

Then, instead of claude code, you run:

hazmat claude

That's it. Hazmat automatically detects your project and chooses the best containment mode. For projects with a Dockerfile, it uses Docker Sandbox Mode, running the agent inside an isolated container with a private Docker daemon. For other projects, it uses Native Containment Mode with the macOS layers listed above.

Every session starts with a clear contract printed to your terminal:

hazmat: session
Mode: Native containment
Why this mode: using native containment because no Docker requirement was detected
Project (read-write): /Users/you/workspace/my-app
Integrations: go
Auto read-only: /Users/you/go/pkg/mod
Pre-session snapshot: on
Snapshot excludes: vendor/

You can preview this contract for any project with hazmat explain.

Integrating Into Your Workflow

This changes the calculus for --dangerously-skip-permissions. With Hazmat, you can confidently add it to your claude alias or CLAUDE.md file, knowing the agent is contained. Your long-running agent loops for testing, refactoring, or documentation won't be interrupted.

Hazmat also works with any terminal-based agent:

• hazmat opencode for OpenCode
• hazmat exec ./my-agent-loop.sh for custom scripts
• hazmat shell for an interactive contained shell

This follows a trend of developers seeking to balance AI agent autonomy with security, especially after incidents like the autonomous git reset --hard command executed by a Claude agent in March 2026. Hazmat provides a structured, auditable security boundary rather than relying on the agent's own prompts or built-in, and sometimes bypassed, sandboxes.