With the latest models and a solid CLAUDE.md, I could reliably go from prompt to PR using Claude Code with --dangerously-skip-permissions. But that left me with two problems:
1. Safety: Running permissive mode on my host machine felt reckless. I needed real sandboxing — not just a container, but network isolation too.
2. Session management: I needed a way to run multiple long-running Claude Code sessions without juggling terminals.
I realized the ideal interaction model matches email: asynchronous, threaded, long-form. So I built a service that runs headless Claude Code inside rootless Podman containers, mapping email threads to agent sessions.
The security model goes beyond container isolation. All network traffic routes through an mitmproxy instance that enforces a per-repo allowlist — the agent can only reach pre-approved hosts. Credentials use a masked secrets system where containers get surrogate tokens; real values are swapped in by the proxy only for scoped hosts. Even if the agent is compromised via prompt injection, exfiltration paths are significantly constrained.
Today I develop two large projects (plus Airut itself) almost exclusively over email. I send a task, the agent works in its sandbox, and I get a PR to review. And I often do this from my phone while on the go.
Compared to OpenClaw, Airut is more opinionated — email-only, Claude-only, git-native — with a deeper sandbox (network allowlist, masked secrets, DNS exfiltration protection). Compared to enterprise agents, there's no issue tracker or web UI to fight with.
It's open source (MIT) and self-hosted. I'd love feedback on the security model and whether this async email workflow resonates.