Is there an easy way to do something similar for Claude Code? I'm growing tired of babysitting it to make sure it doesn't do anything bad.
Late adopter. Started last night. Stayed up four hours past my normal bedtime because I couldn't stop.
Needed the Max 5x plan after two hours. (The 'Pro' plan should be renamed 'Sampler', made one-time and free.) Max 5x seems like it can sustain my current appetite.
I very quickly went from thinking it was overpriced (around 100 USD/month) to worrying that this pricing can't last.
> The sandboxed bash tool uses OS-level primitives to enforce both filesystem and network isolation.
As I can't trust Claude Code to use a correct shell, I don't know why I would trust this feature.
linkregister•1h ago
From within VSCode, you can run devcontainers, which bind mounts the project's directory into an isolated Docker container. Safe for --dangerously-skip-permissions
As a note, running devcontainers in VSCode is easy, but not required. There is also a CLI tool that uses the same specifications.
You can install it with brew or npm.
bugglebeetle•17m ago
Tried this the other day and the setup on this is super cumbersome and requires you to constantly rebuild your entire dev and Claude Code environment every time you use a new container, including whitelisting URLs for package managers and the like.
andrewmutz•14m ago
There are techniques to mitigate this. You can reuse containers instead of creating a new one each time. You can mount in directories (like ~/.claude) from your local machine so you dont have to set claude up each time.
giancarlostoro•1h ago
I mean, it depends on what you're doing but I force claude to always commit code every time it finishes a todo. It never seems to stop doing that, so I run it in dangerous mode on Zed. I get to review the code after the fact anyway.
pluralmonad•45m ago
The danger there is not that it commit bad things, but that as part of working the task it gets tricked into sending your env/secrets/credentials to prompt injectors. That would not show up in your commit diff.
Edit:
At the very least, I would not allow it to do indiscriminate web searching.
Someone•40m ago
The risk isn’t that it makes weird commits; it’s that it may decide to clean up stuff and delete more than desired.
The Claude Code devcontainer works really well, especially the firewalling script! I had do a bit of GitHub Actions spelunking to figure out how to build binary images (with my own devtools preinstalled), which I wrote up here: https://anil.recoil.org/notes/ocaml-claude-dev
With this I have a nice loop where I get Claude to analyse its own sessions via a cronjob and rewrite my devcontainer Dockerfile to have any packages that I've started using during the interactive sessions. This rebuilds via GHActions and my fresh image the next day has an updated Claude and dev environment in a sandbox.
jmacd•48m ago
Docker desktop has a pretty nice sandbox feature that will also store your CC (and other) credentials, so you don't have to re-auth every time you create a new container.
avsm•30m ago
Funnily enough, we shipped the Docker Desktop VM a decade ago now (experience report at https://dl.acm.org/doi/10.1145/3747525). The embedded VM in DD is much more stripped down than the one in Claude Cowork (its based on https://github.com/linuxkit/linuxkit), and its more specialised to container workloads rather than just using bubblewrap for sandboxing (system services run in their own isolated namespaces).
Given how many products seem to be using this shipping-Linux-as-a-library-VM trick these days, it's probably a good time for an open source project to step up to supply a more reusable way of assembling this layer into a proper Mac library...
realityfactchex•17m ago
Isn't the easy way just a development VM? As in:
Install your OS of choice in a virtual machine, e.g. even hosted on your main machine.
Install the AI coding tool in the virtual machine.
Set up a shared folder between host+guest OS.
Only let the VM access files that are "safe" for it to access. Its own repo, in its own folder.
If you want to give the AI tool and VM internet access and tool access, just limit what it can reach to things it is allowed to go haywire on. All the internet and all OS tools are ok. But don't let this AI do "real things" on "real platforms" -- limit the scope of what it "works on" to development assets.
When deploying to staging or prod, copy/sync files out of the shared folder that the AI develops on, and run them. But check them first for subterfuge.
So, don't give the AI access to "prod" configs/files/services/secrets, or general personal/work data, etc. Manage those in other "folders" entirely, not accessible by the development VM at all.
Is that close?
aprilnya•15m ago
Claude Code on web is okay in the meantime if you want to set it loose but not on your own machine.
sirmoveon•10m ago
Maybe not easy or for everyone but you can set a Virtualbox VM running a headless linux of your choice, install directory sharing like samba and your AI agents of choice. Then you can just have multiple SSH sessions to interact with the agents and `tail` logs.
lysace•1h ago
Late adopter. Started last night. Stayed up four hours past my normal bedtime because I couldn't stop.
Needed the Max 5x plan after two hours. (The 'Pro' plan should be renamed 'Sampler', made one-time and free.) Max 5x seems like it can sustain my current appetite.
I very quickly went from thinking it was overpriced (around 100 USD/month) to worrying that this pricing can't last.
cloudking•1h ago
e12e•1h ago
As I can't trust Claude Code to use a correct shell, I don't know why I would trust this feature.
linkregister•1h ago
https://code.visualstudio.com/docs/devcontainers/containers
mbreese•35m ago
You can install it with brew or npm.
bugglebeetle•17m ago
andrewmutz•14m ago
giancarlostoro•1h ago
pluralmonad•45m ago
Edit: At the very least, I would not allow it to do indiscriminate web searching.
Someone•40m ago
- https://github.com/anthropics/claude-code/issues/4331
- https://github.com/anthropics/claude-code/issues/7787
- https://news.ycombinator.com/item?id=46268222
bs7280•1h ago
https://simonw.substack.com/p/first-impressions-of-claude-co...
greggh•49m ago
https://github.com/anthropics/claude-code/tree/main/.devcont...
avsm•27m ago
With this I have a nice loop where I get Claude to analyse its own sessions via a cronjob and rewrite my devcontainer Dockerfile to have any packages that I've started using during the interactive sessions. This rebuilds via GHActions and my fresh image the next day has an updated Claude and dev environment in a sandbox.
jmacd•48m ago
avsm•30m ago
Given how many products seem to be using this shipping-Linux-as-a-library-VM trick these days, it's probably a good time for an open source project to step up to supply a more reusable way of assembling this layer into a proper Mac library...
realityfactchex•17m ago
Install your OS of choice in a virtual machine, e.g. even hosted on your main machine.
Install the AI coding tool in the virtual machine.
Set up a shared folder between host+guest OS.
Only let the VM access files that are "safe" for it to access. Its own repo, in its own folder.
If you want to give the AI tool and VM internet access and tool access, just limit what it can reach to things it is allowed to go haywire on. All the internet and all OS tools are ok. But don't let this AI do "real things" on "real platforms" -- limit the scope of what it "works on" to development assets.
When deploying to staging or prod, copy/sync files out of the shared folder that the AI develops on, and run them. But check them first for subterfuge.
So, don't give the AI access to "prod" configs/files/services/secrets, or general personal/work data, etc. Manage those in other "folders" entirely, not accessible by the development VM at all.
Is that close?
aprilnya•15m ago
sirmoveon•10m ago