This project provides a robust, secure wrapper for running AI agents like Claude Code in "YOLO mode" (--dangerously-skip-permissions) by solving the entire lethal trifecta:
🔒 Filesystem Isolation: The agent only sees your project directory and explicitly mounted volumes (like read-only ~/.ssh). It cannot see your host filesystem.
👤 Privilege Isolation: The agent runs as a powerless, non-root agent user inside the container, with file permissions matched to your host user.
🔥 Network Isolation: A dynamic iptables firewall is built at startup, blocking all outbound network traffic except for DNS and a list of trusted domains you provide.
This tool is heavily inspired by deva.sh and Simon Willison's "Living dangerously with Claude".
This project has two parts:
-
A Rust CLI (
rustyolo): This is the wrapper you run on your host machine. It parses your arguments (volumes, network rules, auth paths) and programmatically constructs a securedocker runcommand. -
A Docker Image (
llm-rustyolo): This image contains the agents (Claude Code, etc.) and anentrypoint.shscript. The script uses the arguments from the Rust CLI to build the firewall, fix file permissions, and then run the agent as a non-root user.
This approach combines the flexible auth and volume mounting from deva.sh with the strict network firewall we developed.
- Rust (install via https://rustup.rs)
- Docker (Docker Desktop on macOS, or docker.io on Linux)
# 1. Build the Rust CLI
cargo build --release
sudo cp target/release/rustyolo /usr/local/bin/
# 2. Build the Docker image
docker build -t llm-rustyolo:latest .For detailed installation instructions, see INSTALL.md.
Once set up, you can go to any project directory and run your agent.
This is the most common use case. It allows the agent to access github.com (for git pull) and pypi.org (for pip install) but nothing else.
cd ~/my-new-project
rustyolo \
--allow-domains "github.com api.github.com pypi.org files.pythonhosted.org" \
-v ~/.ssh:/home/agent/.ssh:ro \
-v ~/.gitconfig:/home/agent/.gitconfig:ro \
--auth-home ~/.config/rustyolo \
claudeThis runs Claude with zero internet access.
rustyolo \
-v ~/.ssh:/home/agent/.ssh:ro \
--auth-home ~/.config/rustyolo \
claudeYou can pass any command and arguments after the agent name. rustyolo is smart enough to see you provided args and won't add its default "danger" flag.
rustyolo claude --helpA secure, firewalled Docker wrapper for AI agents.
Usage: rustyolo [OPTIONS] [AGENT] [AGENT_ARGS]...
Arguments:
[AGENT]
The agent to run (e.g., 'claude')
[default: claude]
[AGENT_ARGS]...
Arguments to pass directly to the agent (e.g., --help or -p "prompt")
Options:
-v, --volume <VOLUMES>
Additional volumes to mount (e.g., -v ~/.ssh:/home/agent/.ssh:ro)
-e, --env <ENVS>
Environment variables to pass (e.g., -e MY_VAR=value)
--allow-domains <ALLOW_DOMAINS>
Space-separated list of domains to allow outbound traffic to.
All other traffic (except DNS) will be blocked.
Example: --allow-domains "github.com pypi.org npmjs.com"
Note: Anthropic domains are automatically added when using Claude.
[env: TRUSTED_DOMAINS=]
--auth-home <AUTH_HOME>
Mount a persistent auth directory. Maps your local dir
to '/home/agent/.config/rustyolo' in the container.
Recommended: ~/.config/rustyolo
--image <IMAGE>
The Docker image to use
[default: llm-rustyolo:latest]
-h, --help
Print help
-V, --version
Print version
- INSTALL.md - Detailed installation instructions
- CLAUDE.md - Complete documentation on how it works, security considerations, and advanced usage
MIT License
Contributions welcome! Please open an issue or PR.