I've been running Claude CLI on production codebases and got uncomfortable not knowing what could leak outbound — especially in case of prompt injection.

YSA runs Claude CLI inside a rootless Podman container with a git worktree per task. Each container gets: - A MITM proxy (L7): TLS termination, GET-only enforcement, body blocked, URL length cap, outbound byte budget, rate limiting per domain - iptables rules via OCI hook (L3/L4): all outbound traffic blocked except through the proxy - seccomp whitelist, all capabilities dropped, read-only filesystem, no-new-privileges

The repo includes a basic dashboard to run tasks in parallel and visualize per-container network traffic in real time.

Early but functional — I use it daily.

Especially curious about feedback on the security model and proxy bypass detection.