> Bash restricted mode needing a chroot may suggest that Claude also needs a chroot (or restricted file permissions, jail, etc).
I believe running coding agents within a jail/container is a "best practice" to limit their blast radius. At least, this is what people I respect have conveyed to me.