Once approval fatigue and ongoing permission management kicks in, the temptation is strong to run `--dangerously-skip-permissions`. I think that's what we all want - run agents in a locked-down sandbox where the blast radius of mistakes and/or prompt injection attacks is minimal/acceptable.

I started running Claude Code in a devcontainer with limited file access (repo only) and limited outbound network access (allowlist only) for that reason.

This weekend, I generalized this to work with docker compose. Next up is support for additional agents (Codex, OpenCode, etc). After that, I'd like to force all network access through a proxy running on the host for greater control and logging (currently it uses iptables rules).

This workflow has been working well for me so far.

Still fresh, so may be rough around the edges, but check it out: https://github.com/mattolson/agent-sandbox

I wanted to vibe code an app in an evening with some friends including setting up coolify for production and testing environments. Ended up with giving Claude root access to a cluster of servers. Vibe coded the entire application with 3 people. Did not touch a line of code. The only shell command given was claude. It spend couple hours to self configure the system. Result was remarkable good. Amazing how far we are already in the ai race.

Very nice!

I've been experimenting with a similar setup. And I'll probably implement some of the things you've been doing.

For the proxy part I've been running https://www.mitmproxy.org/ It's not fully working for all workflows yet. But it's getting close

I must have been living under a rock for the past five years, because Crystal went completely unnoticed until last week. As a long time Ruby programmer, I'm eager to give it a try.

I love Crystal. I'm really enjoying the type system and the the introduction of tuples and named tuples (instead of just using arrays and hashes everywhere). It makes it so much easier to reason about your code and catch common bugs.

Nailed it.