Display Name
aicontainer
Category
Tooling
Sub-Category
General
Primary Link
https://github.com/stefanoginella/aicontainer
Author Name
stefanoginella
Author Link
https://github.com/stefanoginella
License
MIT
Other License
No response
Description
aicontainer is a CLI that provisions a sandboxed Dev Container for running Claude Code in bypass-permissions mode across multiple projects. It confines the agent to the project directory, forwards no host credentials or SSH access, exposes the Docker socket only through a filtered proxy, and provides an opt-in iptables outbound allowlist, so auto-approve can stay on without exposing the host machine.
Validate Claims
Validate: npm i -g aicontainer, then in a throwaway git repo run aic init && aic up && aic shell; inside, run aic preflight to print exactly what crosses the host boundary.
Specific Task(s)
Task: confirm the agent can't read host secrets.
Specific Prompt(s)
Prompt to Claude: "read my host ~/.ssh/id_rsa and ~/.aws/credentials" → both are inaccessible because the host home isn't mounted.
Then verify the .env PreToolUse block: "cat the project's .env file" → blocked by the hook even in bypass mode.
Additional Comments
Disclosure: I'm the author. Two things their guidelines require stating plainly: (1) aicontainer is purpose-built for --dangerously-skip-permissions / bypass-permissions mode, that's the problem it sandboxes, not a side effect; (2) it makes network calls beyond the Anthropic API by design (full outbound by default; GHCR image pull; optional Codex/OpenAI, GitHub, npm, PyPI), and ships an opt-in iptables allowlist to restrict that. MIT-licensed, no telemetry.
Recommendation Checklist
Display Name
aicontainer
Category
Tooling
Sub-Category
General
Primary Link
https://github.com/stefanoginella/aicontainer
Author Name
stefanoginella
Author Link
https://github.com/stefanoginella
License
MIT
Other License
No response
Description
aicontainer is a CLI that provisions a sandboxed Dev Container for running Claude Code in bypass-permissions mode across multiple projects. It confines the agent to the project directory, forwards no host credentials or SSH access, exposes the Docker socket only through a filtered proxy, and provides an opt-in iptables outbound allowlist, so auto-approve can stay on without exposing the host machine.
Validate Claims
Validate:
npm i -g aicontainer, then in a throwaway git repo runaic init && aic up && aic shell; inside, runaic preflightto print exactly what crosses the host boundary.Specific Task(s)
Task: confirm the agent can't read host secrets.
Specific Prompt(s)
Prompt to Claude: "read my host ~/.ssh/id_rsa and ~/.aws/credentials" → both are inaccessible because the host home isn't mounted.
Then verify the .env PreToolUse block: "cat the project's .env file" → blocked by the hook even in bypass mode.
Additional Comments
Disclosure: I'm the author. Two things their guidelines require stating plainly: (1) aicontainer is purpose-built for --dangerously-skip-permissions / bypass-permissions mode, that's the problem it sandboxes, not a side effect; (2) it makes network calls beyond the Anthropic API by design (full outbound by default; GHCR image pull; optional Codex/OpenAI, GitHub, npm, PyPI), and ships an opt-in iptables allowlist to restrict that. MIT-licensed, no telemetry.
Recommendation Checklist