66 lines
1.4 KiB
Markdown
66 lines
1.4 KiB
Markdown
# hako
|
|
|
|
sandboxing claude code in a very primitive manner.
|
|
|
|
## protects against
|
|
|
|
- you accidentally letting claude run `rm -rf /`
|
|
|
|
## DOES NOT PROTECT AGAINST
|
|
|
|
- claude generating malicious code
|
|
- if you `hako sync` malicious code made by it and then build-and-run, you're cooked
|
|
- running malicious code
|
|
- malicious code can escape the container
|
|
- malicious code can exfiltrate container FS to evil server
|
|
- malicious code can run cryptocurrency miners
|
|
- the container MUST have network access (or how tf do you think claude can access claude???)
|
|
- i am NOT writing a proxy that denies everything except claude.ai. maybe someone else can ask their claude to do it
|
|
|
|
## install
|
|
|
|
### requirements
|
|
|
|
- docker
|
|
- git repository (must be run within a git project)
|
|
- go 1.x (for building from source)
|
|
|
|
```sh
|
|
go build -o hako
|
|
```
|
|
|
|
## usage
|
|
|
|
### setup
|
|
|
|
```sh
|
|
# build the main base container image
|
|
hako init
|
|
|
|
# build a lang-specific container image (supports go for now)
|
|
hako init go
|
|
```
|
|
|
|
### actually sandboxing
|
|
|
|
```sh
|
|
cd to/your/project
|
|
|
|
hako up # spins a container up w/ the base image
|
|
hako up go # spins a container up w/ the lang-specific image
|
|
|
|
# stop the container
|
|
hako down
|
|
|
|
# list running containers
|
|
hako ps
|
|
|
|
# download files from the container into cwd
|
|
hako sync
|
|
```
|
|
|
|
## configuration
|
|
|
|
Configuration files are stored in `~/.config/hako/`:
|
|
- `Dockerfile.base` - Base Docker image configuration
|
|
- `Dockerfile.{lang}` - Language-specific Docker configurations
|