# hako

sandboxing claude code in a very primitive manner.

## protects against

- you accidentally letting claude run `rm -rf /`

## DOES NOT PROTECT AGAINST

- claude generating malicious code
  - if you `hako sync` malicious code made by it and then build-and-run, you're cooked
- running malicious code
  - malicious code can escape the container
  - malicious code can exfiltrate container FS to evil server
  - malicious code can run cryptocurrency miners
  - the container MUST have network access (or how tf do you think claude can access claude???)
    - i am NOT writing a proxy that denies everything except claude.ai. maybe someone else can ask their claude to do it

## install

### requirements

- docker
- git repository (must be run within a git project)
- go 1.x (for building from source)

```sh
go build -o hako
```

## usage

### setup

```sh
# build the main base container image
hako init

# build a lang-specific container image (supports go for now)
hako init go
```

### actually sandboxing

```sh
cd to/your/project

hako up # spins a container up w/ the base image
hako up go # spins a container up w/ the lang-specific image

# stop the container
hako down

# list running containers
hako ps

# download files from the container into cwd
hako sync
```

## configuration

Configuration files are stored in `~/.config/hako/`:
- `Dockerfile.base` - Base Docker image configuration
- `Dockerfile.{lang}` - Language-specific Docker configurations