Rather than spending iterations crafting precise permissions, why not just run with
--dangerously-skip-permissions
If run in a devcontainer[1][2], the worst thing that can happen is it deletes everything in the filesystem below the mounted repo. Recovery would entail checking out the repo again.
On windows I create a new locked down user with NTFS permissions denied everywhere except the target project path. I then run the agent app as that user with otherwise unrestricted powershell access.
Be careful running claude in a devcontainer with no other restrictions - it at least nominally knows how to jailbreak out of containers, even though it appears heavily moralized not to. If you (for example) feed it arbitrary web data that contains a prompt sufficiently persuasive to get to try, it's pretty capable of doing it.
> it at least nominally knows how to jailbreak out of containers
Source please. If it's contained (as in Claude runs INSIDE the container, not outside while having access to it) I don't understand how it technically could blue pill out of it. If it were to be able to leave the container then the container code would be updating accordingly to patch whatever exploit was found somehow. So I don't believe this but maybe I'm wrong, hence why I'm asking for a reference.
Still leaves you open for data exfil. Your AI goes to a site to check documentation, but oh no that site wants it to make an API call with a very specific token.
1. (conventional usage) https://code.visualstudio.com/docs/devcontainers/containers
2. (actual spec) https://containers.dev/