Improve sandbox support for erlang / elixir
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
Summary
Claude Code's web sandbox is a great experience for Node, Python, Go, and
Ruby projects (toolchains preinstalled, package managers reach the network).
For Erlang/Elixir projects it is currently unworkable without
session-by-session re-derivation. Two problems compound:
1. Toolchain is not preinstalled
erl, elixir, and mix are not on PATH. The Ubuntu 24.04 base ships anelixir package at 1.14, which is too old for any project pinning a
recent .tool-versions (1.17+). Installing a current BEAM costs an agent
~5–10 minutes of trial-and-error every fresh session: source build needs-dev headers (apt is the only path); precompiled OTP frombuilds.hex.pm works but isn't well-known.
2. Erlang's TLS is silently blocked by the egress proxy
This is the bigger one. The sandbox's MITM egress
(O=Anthropic; CN=sandbox-egress-production TLS Inspection CA) accepts
curl's TLS handshake — every https://... curl request returns 200 — but
returns 502 Bad Gateway / 503 Service Unavailable on every HTTPS
host when the client is Erlang's :httpc. Verified against:
https://repo.hex.pm/...https://hex.pm/api/...https://cdn.jsdelivr.net/hex/...(Hex's official jsDelivr mirror)https://api.github.com/...https://www.google.com/
The proxy returns the Envoy-style bodyupstream connect error or disconnect/reset before headers. retried and. It is not host-specific
the latest reset reason: connection termination
and not fixable from Mix configuration — HEX_MIRROR, HEX_CACERTS_PATH,HEX_UNSAFE_HTTPS=1, HEX_HTTP_TIMEOUT/HEX_HTTP_RETRIES, forcing TLS
1.2 vs 1.3, custom User-Agent and Connection: close headers, andmax_keep_alive_length: 0 all yield the same 5xx. The proxy distinguishes
Erlang's TLS hello (likely JA3/JA4 fingerprint) from curl's and refuses
to relay it upstream.
This breaks every Mix command that touches the network:mix local.hex --force, mix local.rebar --force, mix deps.get,mix hex.search, mix hex.info, mix archive.install hex …. The
documented Hex mirror list (https://hex.pm/docs/mirrors) doesn't help —
all three endorsed mirrors are blocked the same way.
openai/codex#10502 reports the identical class of failure on a
different sandbox vendor, with the same recommended-but-unworkable
"use a different mirror" workaround, so this is a general property of
MITM-egress sandboxes and not specific to Claude Code's infrastructure.
Repro
# In a fresh Claude Code web session, on Linux:
curl -fsSL -o /tmp/otp.tgz \
https://builds.hex.pm/builds/otp/ubuntu-24.04/OTP-27.2.tar.gz
mkdir -p /opt/erlang && tar -xzf /tmp/otp.tgz -C /opt/erlang
( cd /opt/erlang/OTP-27.2 && ./Install -minimal /opt/erlang/OTP-27.2 )
curl -fsSL -o /tmp/elixir.zip \
https://github.com/elixir-lang/elixir/releases/download/v1.18.1/elixir-otp-27.zip
mkdir -p /opt/elixir && unzip -q /tmp/elixir.zip -d /opt/elixir
export PATH=/opt/erlang/OTP-27.2/bin:/opt/elixir/bin:$PATH
# This is what fails:
mix local.hex --force
# → ** (Mix) httpc request failed with: ... TLS client ... key_usage_mismatch ...
# Even bypassing TLS verification:
HEX_UNSAFE_HTTPS=1 mix local.hex --force
# → 502 Bad Gateway "upstream connect error..."
# But curl to the same URL works:
curl -fsSI https://builds.hex.pm/installs/1.18.0/hex.ez | head -1
# → HTTP/2 200
### Proposed Solution
What would help
In rough priority order:
Preinstall Erlang/OTP and Elixir at recent versions in the web
sandbox image (matching whatever versioning policy other languages
get). Even one current otp-27 / 1.18 pair would cover most projects.
Make the egress proxy accept Erlang's TLS fingerprint, or expose
a documented TLS-fingerprint-stable HTTP egress that :httpc can use.
Failing the above, document the limitation prominently in the
web-sandbox docs — including the fact that "use a Hex mirror" is not
a workaround on this proxy. As-is, agents waste a lot of tokens
trying every Mix flag before discovering the proxy is the issue.
Optionally, ship a mix-via-curl shim or a sandbox-aware
setup-beam that pre-fetches deps via curl into the on-disk Hex
cache before falling back to :httpc.
Environment
Claude Code web sandbox, Ubuntu 24.04 LTS x86_64
BEAM not preinstalled; verified after manual install of OTP 27.2 +
Elixir 1.18.1.
curl 8.5.0 works for all probed HTTPS hosts.
:httpc returns 502/503 for all probed HTTPS hosts.
### Alternative Solutions
_No response_
### Priority
High - Significant impact on productivity
### Feature Category
Other
### Use Case Example
_No response_
### Additional Context
_No response_This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗