If you still run Claude Code or Codex directly on your machine, this is your reminder to level up your sandboxing and avoid the ugly “it wiped my entire OS” risk. Auto-approve / bypass mode is the only way AIs actually fly, but pointed at your real $HOME it also lets a prompt-injected dependency read your .env , exfiltrate your shell history, push through your gh token, find your nasty picture in that hidden folder, or hack into your microwave! :P So I built aicontainer : a CLI that sets up a devcontainer where you can let your AIs run loose ( –dangerously-skip-permissions , sandbox off, etc.) a lot more safely. https://github.com/stefanoginella/aicontainer I use it daily across a bunch of projects. The idea is to put the AI behind a devcontainer boundary so you can keep auto-approve on without rebuilding your machine every time something goes sideways. Not bulletproof, but it cuts down the blast radius of a bad prompt or a compromised session by a lot. What you get out of the box: Filesystem isolation so the host is inaccessible except your project dir and a few read-only mounts. Filtered Docker socket (via Tecnativa’s docker-socket-proxy) so testcontainers / docker compose still work from inside, but the dangerous API surface is cut down. A PreToolUse hook that blocks reads of .env* , curl | sh patterns, and writes to your .devcontainer/ ,fires even with bypass/auto-approve on. Locked git config so a compromised session can’t inject a credential.helper to grab your tokens. npm hardening ( ignore-scripts , a release-age quarantine to dodge fast-moving malicious packages). An opt-in iptables outbound allowlist for when you want stricter containment (reviewing untrusted code, paranoid about exfiltration). No host credential forwarding so you log in once inside the container and the tokens persist across every project. No per-project re-login, no API keys leaking in. Setup is basically: npm install -g aicontainer cd my-project aic init aic up aic shell # (or open the folder in VS Code) It works for both Claude Code and Codex (pick one or both per project), keeps your host shell look-and-feel, and there’s no AI-generated config. The defaults are all documented in the README so you know exactly what you’re adopting. Honest disclaimer: this is not bulletproof . An AI can still cause damage inside the sandbox, and the Docker socket access is a footgun reducer, not a hard host-isolation boundary. DO NOT run genuinely untrusted code in it. But it mitigates a lot of the worst-case “oops it touched my whole machine” scenarios, which is what I wanted. It’s MIT licensed. Any feedback appreciated — (YIKES, an em dash!) happy to hear what you’d want added or where the threat model could be tighter. :) submitted by /u/stefano_dev
Originally posted by u/stefano_dev on r/ClaudeCode