Claude Code vs Cowork — Execution & Sandbox Flow
Where each environment runs · what it can touch · where MCP breaks the boundary
Claude Code (local)
CLI · npm install · or via Desktop app
Cowork
Claude Desktop app · task delegation mode
YOU
"Fix the failing tests"
YOU
"Process all invoices"
ANTHROPIC CLOUD
Claude Model — Inference happens here
Prompts, file contents, and command outputs travel here · Retained 30 days
YOUR MACHINE
Permission Pipeline
Allowlist check · auto-mode classifier
OS-LEVEL SANDBOX
bubblewrap (Linux) / seatbelt (macOS)
FILESYSTEM
CWD only
NETWORK
Approved domains only
All child processes inherit these restrictions
YOUR MACHINE — LOCAL DISK
Project folder
Real files · immediate changes · no preview
🔒 ~/.ssh · ~/.aws · anything outside the folder → blocked
Session transcript →
~/.claude/projects/
(30 days, plaintext)
YOUR MACHINE — HOST
CLAUDE DESKTOP (ELECTRON)
VM lifecycle · MCP host · org egress policy
Manages VM · hosts MCP server processes
LINUX VM · hypervisor isolated · Ubuntu 22.04
SANDBOX LAYER 2
bubblewrap + seccomp
Claude Code CLI runs here
VirtioFS MOUNT
Mounted folder only · real-time sync to host
Everything else on your machine: invisible
Network: ~22 allowlisted domains only (VM-level)
MCP CONNECTOR · HOST PROCESS
stdio pipe from VM → real HTTPS call on host
Credentials stay on host · never enter VM
EXTERNAL APIS · UNRESTRICTED
Jira · Slack · Google · GitHub · etc.
Not subject to VM's domain allowlist
LEGEND
Anthropic cloud (inference)
Local filesystem access
Sandbox / VM layer
MCP / unrestricted path
MCP stdio pipe (breaks VM boundary)
Cloud inference flow