feat: add Docker isolation mode for safer YOLO execution

When Docker is available, tasks can opt into running inside a container.
Only the project directory is bind-mounted (read-write), so agents
cannot accidentally delete or modify files outside the project.

- spawnAgent() wraps command in `docker run` when dockerMode is set
- Mounts ~/.ssh and ~/.gitconfig read-only for git operations
- Forwards API keys and git identity env vars into container
- NewTaskDialog shows "Run in Docker container" toggle when Docker detected
- SettingsDialog allows configuring the default Docker image
- Docker availability checked at app startup via `docker info`
- Full persistence of dockerMode/dockerImage per task

https://claude.ai/code/session_012QrKQQBc2hmjhPmkH2Fk6T

Author: claude

electron/ipc/channels.ts

@@ -86,6 +86,9 @@ export enum IPC {
   AskAboutCode = 'ask_about_code',
   CancelAskAboutCode = 'cancel_ask_about_code',
 
+  // Docker
+  CheckDockerAvailable = 'check_docker_available',
+
   // Notifications
   ShowNotification = 'show_notification',
   NotificationClicked = 'notification_clicked',

electron/ipc/pty.ts

@@ -88,6 +88,8 @@ export function spawnAgent(
     cols: number;
     rows: number;
     isShell?: boolean;
+    dockerMode?: boolean;
+    dockerImage?: string;
     onOutput: { __CHANNEL_ID__: string };
   },
 ): void {
@@ -102,7 +104,12 @@ export function spawnAgent(
     throw new Error(`Command contains disallowed characters: ${command}`);
   }
 
-  validateCommand(command);
+  // In Docker mode, we validate `docker` exists rather than the inner command
+  if (!args.dockerMode) {
+    validateCommand(command);
+  } else {
+    validateCommand('docker');
+  }
 
   // Kill any existing session with the same agentId to prevent PTY leaks
   const existing = sessions.get(args.agentId);
@@ -148,12 +155,40 @@ export function spawnAgent(
   delete spawnEnv.CLAUDE_CODE_SESSION;
   delete spawnEnv.CLAUDE_CODE_ENTRYPOINT;
 
-  const proc = pty.spawn(command, args.args, {
+  let spawnCommand: string;
+  let spawnArgs: string[];
+
+  if (args.dockerMode) {
+    const image = args.dockerImage || 'ubuntu:latest';
+    spawnCommand = 'docker';
+    spawnArgs = [
+      'run',
+      '--rm',
+      '-it',
+      // Mount the project directory as the only writable volume
+      '-v',
+      `${cwd}:${cwd}`,
+      '-w',
+      cwd,
+      // Forward env vars the agent needs (API keys, git config, etc.)
+      ...buildDockerEnvFlags(spawnEnv),
+      // Mount SSH and git config read-only for git operations
+      ...buildDockerCredentialMounts(),
+      image,
+      command,
+      ...args.args,
+    ];
+  } else {
+    spawnCommand = command;
+    spawnArgs = args.args;
+  }
+
+  const proc = pty.spawn(spawnCommand, spawnArgs, {
     name: 'xterm-256color',
     cols: args.cols,
     rows: args.rows,
-    cwd,
-    env: spawnEnv,
+    cwd: args.dockerMode ? undefined : cwd,
+    env: args.dockerMode ? filteredEnv : spawnEnv,
   });
 
   const session: PtySession = {
@@ -344,3 +379,69 @@ export function getAgentCols(agentId: string): number {
   const s = sessions.get(agentId);
   return s ? s.proc.cols : 80;
 }
+
+// --- Docker mode helpers ---
+
+/** Env vars to forward into the Docker container (API keys, git identity, etc.). */
+const DOCKER_ENV_FORWARD = [
+  'ANTHROPIC_API_KEY',
+  'OPENAI_API_KEY',
+  'GEMINI_API_KEY',
+  'GOOGLE_API_KEY',
+  'GIT_AUTHOR_NAME',
+  'GIT_AUTHOR_EMAIL',
+  'GIT_COMMITTER_NAME',
+  'GIT_COMMITTER_EMAIL',
+  'TERM',
+  'COLORTERM',
+  'LANG',
+  'HOME',
+  'USER',
+  'PATH',
+];
+
+function buildDockerEnvFlags(env: Record<string, string>): string[] {
+  const flags: string[] = [];
+  for (const key of DOCKER_ENV_FORWARD) {
+    if (env[key]) {
+      flags.push('-e', `${key}=${env[key]}`);
+    }
+  }
+  return flags;
+}
+
+function buildDockerCredentialMounts(): string[] {
+  const mounts: string[] = [];
+  const home = process.env.HOME;
+  if (!home) return mounts;
+
+  // Mount SSH directory read-only for git push/pull
+  const sshDir = `${home}/.ssh`;
+  try {
+    fs.accessSync(sshDir, fs.constants.R_OK);
+    mounts.push('-v', `${sshDir}:${sshDir}:ro`);
+  } catch {
+    // No .ssh dir — skip
+  }
+
+  // Mount git config read-only
+  const gitconfig = `${home}/.gitconfig`;
+  try {
+    fs.accessSync(gitconfig, fs.constants.R_OK);
+    mounts.push('-v', `${gitconfig}:${gitconfig}:ro`);
+  } catch {
+    // No .gitconfig — skip
+  }
+
+  return mounts;
+}
+
+/** Check if Docker is available on the system. */
+export async function isDockerAvailable(): Promise<boolean> {
+  try {
+    execFileSync('docker', ['info'], { encoding: 'utf8', timeout: 5000, stdio: 'pipe' });
+    return true;
+  } catch {
+    return false;
+  }
+}

electron/ipc/register.ts

@@ -12,6 +12,7 @@ import {
   countRunningAgents,
   killAllAgents,
   getAgentMeta,
+  isDockerAvailable,
 } from './pty.js';
 import { ensurePlansDirectory, startPlanWatcher, readPlanForWorktree } from './plans.js';
 import { startRemoteServer } from '../remote/server.js';
@@ -124,6 +125,7 @@ export function registerAllHandlers(win: BrowserWindow): void {
 
   // --- Agent commands ---
   ipcMain.handle(IPC.ListAgents, () => listAgents());
+  ipcMain.handle(IPC.CheckDockerAvailable, () => isDockerAvailable());
 
   // --- Task commands ---
   ipcMain.handle(IPC.CreateTask, (_e, args) => {

electron/preload.cjs

@@ -76,6 +76,9 @@ const ALLOWED_CHANNELS = new Set([
   'get_remote_status',
   // Plan
   'plan_content',
+  'read_plan_content',
+  // Docker
+  'check_docker_available',
   // Ask about code
   'ask_about_code',
   'cancel_ask_about_code',

src/App.tsx

@@ -43,6 +43,7 @@ import {
   setNewTaskDropUrl,
   validateProjectPaths,
   setPlanContent,
+  setDockerAvailable,
 } from './store/store';
 import { isGitHubUrl } from './lib/github-url';
 import type { PersistedWindowState } from './store/types';
@@ -287,6 +288,10 @@ function App() {
     })();
 
     await loadAgents();
+    invoke<boolean>(IPC.CheckDockerAvailable).then(
+      (available) => setDockerAvailable(available),
+      () => setDockerAvailable(false),
+    );
     await loadState();
 
     // Restore plan content for tasks that had a plan file before restart

src/components/NewTaskDialog.tsx

@@ -15,6 +15,8 @@ import {
   hasDirectModeTask,
   getGitHubDropDefaults,
   setPrefillPrompt,
+  setDockerAvailable,
+  setDockerImage,
 } from '../store/store';
 import { toBranchName, sanitizeBranchPrefix } from '../lib/branch-name';
 import { cleanTaskName } from '../lib/clean-task-name';
@@ -42,6 +44,7 @@ export function NewTaskDialog(props: NewTaskDialogProps) {
   const [selectedDirs, setSelectedDirs] = createSignal<Set<string>>(new Set());
   const [directMode, setDirectMode] = createSignal(false);
   const [skipPermissions, setSkipPermissions] = createSignal(false);
+  const [dockerMode, setDockerMode] = createSignal(false);
   const [branchPrefix, setBranchPrefix] = createSignal('');
   let promptRef!: HTMLTextAreaElement;
   let formRef!: HTMLFormElement;
@@ -105,8 +108,14 @@ export function NewTaskDialog(props: NewTaskDialogProps) {
     setLoading(false);
     setDirectMode(false);
     setSkipPermissions(false);
+    setDockerMode(false);
 
     void (async () => {
+      // Check Docker availability in background
+      invoke<boolean>(IPC.CheckDockerAvailable).then(
+        (available) => setDockerAvailable(available),
+        () => setDockerAvailable(false),
+      );
       if (store.availableAgents.length === 0) {
         await loadAgents();
       }
@@ -296,6 +305,8 @@ export function NewTaskDialog(props: NewTaskDialogProps) {
           initialPrompt: isFromDrop ? undefined : p,
           githubUrl: ghUrl,
           skipPermissions: agentSupportsSkipPermissions() && skipPermissions(),
+          dockerMode: dockerMode() || undefined,
+          dockerImage: dockerMode() ? store.dockerImage : undefined,
         });
       } else {
         taskId = await createTask({
@@ -307,6 +318,8 @@ export function NewTaskDialog(props: NewTaskDialogProps) {
           branchPrefixOverride: prefix,
           githubUrl: ghUrl,
           skipPermissions: agentSupportsSkipPermissions() && skipPermissions(),
+          dockerMode: dockerMode() || undefined,
+          dockerImage: dockerMode() ? store.dockerImage : undefined,
         });
       }
       // Drop flow: prefill prompt without auto-sending
@@ -589,6 +602,72 @@ export function NewTaskDialog(props: NewTaskDialogProps) {
           </div>
         </Show>
 
+        {/* Docker isolation toggle */}
+        <Show when={store.dockerAvailable}>
+          <div
+            data-nav-field="docker-mode"
+            style={{ display: 'flex', 'flex-direction': 'column', gap: '8px' }}
+          >
+            <label
+              style={{
+                display: 'flex',
+                'align-items': 'center',
+                gap: '8px',
+                'font-size': '12px',
+                color: theme.fg,
+                cursor: 'pointer',
+              }}
+            >
+              <input
+                type="checkbox"
+                checked={dockerMode()}
+                onChange={(e) => setDockerMode(e.currentTarget.checked)}
+                style={{ 'accent-color': theme.accent, cursor: 'inherit' }}
+              />
+              Run in Docker container
+            </label>
+            <Show when={dockerMode()}>
+              <div
+                style={{
+                  'font-size': '12px',
+                  color: theme.success ?? theme.accent,
+                  background: `color-mix(in srgb, ${theme.success ?? theme.accent} 8%, transparent)`,
+                  padding: '8px 12px',
+                  'border-radius': '8px',
+                  border: `1px solid color-mix(in srgb, ${theme.success ?? theme.accent} 20%, transparent)`,
+                }}
+              >
+                The agent will run inside a Docker container. Only the project directory is mounted
+                — files outside the project are protected from accidental deletion.
+              </div>
+              <div style={{ display: 'flex', 'align-items': 'center', gap: '8px' }}>
+                <label
+                  style={{ 'font-size': '11px', color: theme.fgMuted, 'white-space': 'nowrap' }}
+                >
+                  Image:
+                </label>
+                <input
+                  type="text"
+                  value={store.dockerImage}
+                  onInput={(e) => setDockerImage(e.currentTarget.value)}
+                  placeholder="ubuntu:latest"
+                  style={{
+                    flex: '1',
+                    background: theme.bgInput,
+                    border: `1px solid ${theme.border}`,
+                    'border-radius': '6px',
+                    padding: '5px 10px',
+                    color: theme.fg,
+                    'font-size': '12px',
+                    'font-family': "'JetBrains Mono', monospace",
+                    outline: 'none',
+                  }}
+                />
+              </div>
+            </Show>
+          </div>
+        </Show>
+
         <Show when={ignoredDirs().length > 0 && !directMode()}>
           <SymlinkDirPicker
             dirs={ignoredDirs()}

src/components/SettingsDialog.tsx

@@ -12,6 +12,7 @@ import {
   setDesktopNotificationsEnabled,
   setInactiveColumnOpacity,
   setEditorCommand,
+  setDockerImage,
 } from '../store/store';
 import { CustomAgentEditor } from './CustomAgentEditor';
 import { mod } from '../lib/platform';
@@ -262,6 +263,66 @@ export function SettingsDialog(props: SettingsDialogProps) {
         </div>
       </div>
 
+      <Show when={store.dockerAvailable}>
+        <div style={{ display: 'flex', 'flex-direction': 'column', gap: '10px' }}>
+          <div
+            style={{
+              'font-size': '11px',
+              color: theme.fgMuted,
+              'text-transform': 'uppercase',
+              'letter-spacing': '0.05em',
+              'font-weight': '600',
+            }}
+          >
+            Docker Isolation
+          </div>
+          <div
+            style={{
+              display: 'flex',
+              'flex-direction': 'column',
+              gap: '6px',
+              padding: '8px 12px',
+              'border-radius': '8px',
+              background: theme.bgInput,
+              border: `1px solid ${theme.border}`,
+            }}
+          >
+            <label
+              style={{
+                display: 'flex',
+                'align-items': 'center',
+                gap: '10px',
+              }}
+            >
+              <span style={{ 'font-size': '13px', color: theme.fg, 'white-space': 'nowrap' }}>
+                Default image
+              </span>
+              <input
+                type="text"
+                value={store.dockerImage}
+                onInput={(e) => setDockerImage(e.currentTarget.value)}
+                placeholder="ubuntu:latest"
+                style={{
+                  flex: '1',
+                  background: theme.taskPanelBg,
+                  border: `1px solid ${theme.border}`,
+                  'border-radius': '6px',
+                  padding: '6px 10px',
+                  color: theme.fg,
+                  'font-size': '13px',
+                  'font-family': "'JetBrains Mono', monospace",
+                  outline: 'none',
+                }}
+              />
+            </label>
+            <span style={{ 'font-size': '11px', color: theme.fgSubtle }}>
+              Docker image used when "Run in Docker container" is enabled for a task. The agent
+              runs inside the container with only the project directory mounted.
+            </span>
+          </div>
+        </div>
+      </Show>
+
       <div style={{ display: 'flex', 'flex-direction': 'column', gap: '10px' }}>
         <div
           style={{

src/components/TaskPanel.tsx

@@ -1236,6 +1236,8 @@ export function TaskPanel(props: TaskPanelProps) {
                             : []),
                         ]}
                         cwd={props.task.worktreePath}
+                        dockerMode={props.task.dockerMode}
+                        dockerImage={props.task.dockerImage}
                         onExit={(code) => markAgentExited(a().id, code)}
                         onData={(data) => markAgentOutput(a().id, data, props.task.id)}
                         onPromptDetected={(text) => setLastPrompt(props.task.id, text)}