proof-of-concept claude code sandboxing (don't trust this!)
| .gitignore | ||
| CLAUDE.md | ||
| commands.go | ||
| docker.go | ||
| git.go | ||
| go.mod | ||
| go.sum | ||
| idea.md | ||
| main.go | ||
| README.md | ||
| utils.go | ||
hako
sandboxing claude code in a very primitive manner.
protects against
- you accidentally letting claude run
rm -rf /
DOES NOT PROTECT AGAINST
- claude generating malicious code
- if you
hako syncmalicious code made by it and then build-and-run, you're cooked
- if you
- running malicious code
- malicious code can escape the container
- malicious code can exfiltrate container FS to evil server
- malicious code can run cryptocurrency miners
- the container MUST have network access (or how tf do you think claude can access claude???)
- i am NOT writing a proxy that denies everything except claude.ai. maybe someone else can ask their claude to do it
install
requirements
- docker
- git repository (must be run within a git project)
- go 1.x (for building from source)
go build -o hako
usage
setup
# build the main base container image
hako init
# build a lang-specific container image (supports go for now)
hako init go
actually sandboxing
cd to/your/project
hako up # spins a container up w/ the base image
hako up go # spins a container up w/ the lang-specific image
# stop the container
hako down
# list running containers
hako ps
# download files from the container into cwd
hako sync
configuration
Configuration files are stored in ~/.config/hako/:
Dockerfile.base- Base Docker image configurationDockerfile.{lang}- Language-specific Docker configurations