diff --git a/darwin/configuration.nix b/darwin/configuration.nix
index 307836f..0e0a10a 100644
--- a/darwin/configuration.nix
+++ b/darwin/configuration.nix
@@ -17,6 +17,7 @@
         "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
         "flyingcircus.io-1:Rr9CwiPv8cdVf3EQu633IOTb6iJKnWbVfCC8x8gVz2o="
       ];
+      sandbox = "relaxed";
     };
   };
 
diff --git a/home/modules/captive-browser.nix b/home/modules/captive-browser.nix
index f3c8453..501cdfb 100644
--- a/home/modules/captive-browser.nix
+++ b/home/modules/captive-browser.nix
@@ -36,8 +36,20 @@ in
               ${cfg.browserCommand} \
               --user-data-dir="$HOME/Library/Application Support/Google/Captive" \
               --proxy-server="socks5://$PROXY" \
-              --host-resolver-rules="MAP * ~NOTFOUND , EXCLUDE localhost" \
-              --no-first-run --new-window --incognito \
+              --proxy-bypass-list="<-loopback>" \
+              --no-first-run \
+              --new-window \
+              --incognito \
+              --no-default-browser-check \
+              --no-crash-upload \
+              --disable-extensions \
+              --disable-sync \
+              --disable-background-networking \
+              --disable-client-side-phishing-detection \
+              --disable-component-update \
+              --disable-translate \
+              --disable-web-resources \
+              --safebrowsing-disable-auto-update \
               http://example.com
             '';
           };
diff --git a/home/modules/llm.nix b/home/modules/llm.nix
new file mode 100644
index 0000000..80466d4
--- /dev/null
+++ b/home/modules/llm.nix
@@ -0,0 +1,31 @@
+{
+  pkgs,
+  lib,
+  inputs,
+  config,
+  system,
+  ...
+}:
+let
+  myAider = pkgs.aider-chat;
+  # FIXME: darwin build failure due to cfn-lint-1.32.1
+  # myAider = pkgs.aider-chat.withOptional {
+  #   withPlaywright = true;
+  #   withBrowser = true;
+  #   withHelp = true;
+  #   withBedrock = false;
+  # };
+in
+{
+  home.packages = [
+    myAider
+    pkgs.claude-code
+  ];
+  #nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "claude-code" ];  # nixpkgs.config merging is unfortunately broken
+  # TODO: API token e.g. via sops
+  # TODO: proper codium and llm enable options
+  home.sessionVariables = {
+    AIDER_EDITOR = "codium --wait";
+    DISABLE_TELEMETRY = 1; # for claude-code
+  };
+}
diff --git a/home/workmac.nix b/home/workmac.nix
index 0e9c722..64c3fc3 100644
--- a/home/workmac.nix
+++ b/home/workmac.nix
@@ -12,6 +12,7 @@ let
   unstable = inputs.nixos-unstable.legacyPackages.${system};
 in
 {
+  imports = [ ./modules/llm.nix ];
 
   schmittlauch.packages = {
     graphics = true;
@@ -129,7 +130,12 @@ in
       ThrottleInterval = 60;
     };
   };
-  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "1password-cli" ];
+  nixpkgs.config.allowUnfreePredicate =
+    pkg:
+    builtins.elem (lib.getName pkg) [
+      "1password-cli"
+      "claude-code"
+    ]; # nixpkgs.config merging is unfortunately broken
 
   home.stateVersion = "22.05";
 }