This is why I use yoloAI (https://github.com/kstenerud/yoloai).

    $ yoloai new bugfix . -a --network-isolated --agent claude

Now I have a claude code session that only has a COPY of my work dir, and can't reach anything over the network except the Claude API server.

Now I interact with the agent, and when it's done:

    $ yoloai diff bugfix
    diff --git a/b64.go b/b64.go
    index cfc5549..253c919 100644
    --- a/b64.go
    +++ b/b64.go
    @@ -39,7 +39,7 @@ func Encode(data []byte) string {
        val |= uint(data[i+2])
       }

    -  out[j] = alphabet[(val>>18)&0x3E]
    +  out[j] = alphabet[(val>>18)&0x3F]
       out[j+1] = alphabet[(val>>12)&0x3F]

       remaining := n - i

Looks good, let's apply it:

    $ yoloai apply bugfix
    Target: /home/ks/tmp/b64

    Commits to apply (1):
      9db260b33bcd Fix bit mask in base64 encoding

    Apply to /home/ks/tmp/b64? [y/N] y
    1 commit(s) applied to /home/ks/tmp/b64

Now the commit claude made inside the sandbox has been applied to my workdir:

    $ git log
    commit 5b0fc3a237efe8bbc9a9e1a05f9ce45d37d38bfa (HEAD -> main)
    Author: Karl Stenerud <[email protected]>
    Date:   Mon Mar 30 05:28:21 2026 +0000

        Fix bit mask in base64 encoding

        Corrected the bit mask for the first character extraction from 0x3E to 0x3F to properly extract all 6 bits.

        Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

    commit 31e12b62b0c3179f3399521d7c4326a8f6130721 (tag: init)

The important thing here is that Claude was not able to reach anything on the network except its own API, and nothing it did ever touched my work dir until I was happy with the changes and applied them.

It also doesn't get access to my credentials, so it couldn't push even if it did have network access.