Run Claude Code with full autonomous permissions - safely sandboxed in Docker.
One command. Per-project isolation. Zero risk to your host.
curl -fsSL https://raw.githubusercontent.com/coder-pm/claude-isolated/main/install.sh | bashcd ~/your-project && claudeiThat's it. First run builds the Docker image (~2 min), starts an isolated container for your project, and drops you into Claude Code with full permissions, all sandboxed.
┌─────────────────────┐ ┌─────────────────────────────────┐
│ Your machine │ │ Docker container │
│ │ │ │
│ ~/my-project ───────────> │ /workspace │
│ ~/.claude ──────────────> │ /home/coder/.claude │
│ │ │ │
│ Everything else │ │ Claude Code runs free here: │
│ is untouched. │ │ install, build, delete, run │
│ │ │ anything. Fully sandboxed. │
└─────────────────────┘ └─────────────────────────────────┘
- Docker -- must be installed and running
- macOS or Linux (Windows support via WSL2)
- An Anthropic account -- team or Pro plan
- git -- used by the installer
Claude Code with --dangerously-skip-permissions is the fastest way to build software with AI. No confirmation dialogs, no permission prompts. Claude just does what you ask. But on your actual machine, that means:
- System files and configs can be modified or deleted
- Packages can be installed, upgraded, or removed system-wide
- Dotfiles, SSH keys, or credentials can be read or overwritten
- Other projects on your machine can be accessed or changed
- A single bad command can render your OS unbootable
Claude Isolated gives you the best of both worlds:
| Without isolation | With Claude Isolated | |
|---|---|---|
| Claude can edit project files | Yes | Yes |
| Claude can install packages | Yes (on your system) | Yes (in container) |
| Claude can run any command | Yes (on your system) | Yes (in container) |
| Claude can access other projects | Yes | No |
| Claude can modify your system | Yes | No |
| Claude can read ~/.ssh, credentials | Yes | No |
| Safe to leave running overnight | No | Yes |
| File ownership issues | N/A | None (UID/GID mapped) |
- One command --
claudeibuilds, starts, and launches everything - Per-project isolation -- each project gets its own container, run multiple projects in parallel
- Session persistence -- stop and resume sessions without losing context
- Safe for unattended use -- let Claude work overnight without risking your system
- Zero file permission issues -- container user matches your host UID/GID automatically
- Shared auth -- log in once, all containers use the same credentials
- Lightweight -- Debian-slim-based image with Node.js, Python, Git, build-essential, vim, jq, and clipboard utilities
- Auto-upgrade notifications -- checks for updates once per day and notifies you before launching Claude
I was deep into vibe coding. Shipping features fast, letting Claude Code run with --dangerously-skip-permissions so it could execute anything without interrupting my flow. It was incredible. I'd kick off tasks, step away, come back to working code. I was running multiple projects on my Mac, sometimes leaving Claude running overnight while it worked through larger refactors.
Then one morning I opened my laptop and nothing worked. The system was completely broken. Apps wouldn't launch, the terminal was unusable, core system files had been modified. Claude had been working autonomously through the night, and somewhere along the way it had started making changes outside the project directory. It tried to fix a dependency issue by modifying system-level configs, which cascaded into more "fixes" across the filesystem. By the time it was done, macOS was unrecoverable.
I had to restore my entire machine from a Time Machine backup. Hours of setup, re-authenticating everything, recreating local state that wasn't backed up. All because I gave an AI unrestricted access to my actual system.
The thing is, I didn't want to stop using --dangerously-skip-permissions. The productivity gain is real. Claude Code without permission gates is a different experience entirely: it moves fast, installs what it needs, runs builds and tests, iterates on errors, all without waiting for you to click "allow" fifty times. Going back to the default permission mode felt like putting the brakes back on.
So I built Claude Isolated. Same unrestricted power, but inside a Docker container where the blast radius is zero. Claude can rm -rf / inside the sandbox and my Mac won't even notice. Each project gets its own container, my host system is completely untouched, and I never have to worry about what Claude does when I'm not looking.
I haven't restored from a backup since.
curl -fsSL https://raw.githubusercontent.com/coder-pm/claude-isolated/main/install.sh | bashThis clones the repo to ~/.claude-isolated, checks out the latest stable release tag, and symlinks claudei into your PATH.
git clone https://github.com/coder-pm/claude-isolated.git
cd claude-isolated
git checkout "$(git tag -l | grep -E '^v[0-9]' | sort -V | tail -1)"
./claude-docker installReleases are published as git tags (e.g. v0.1.0). The updater fetches tags and checks out the latest one:
claudei updateTo also update Claude Code inside the container:
claudei rebuildcd ~/your-project
claudei # starts the container + launches Claude
# Claude will prompt you to log in on first runOr authenticate separately:
claudei start # start the container
claudei login # opens a browser URL to sign inCredentials are saved to ~/.claude on your host and shared across all containers automatically. Log in once, every container picks it up.
cd ~/your-project
claudeiThat's it. You're inside Claude Code with full autonomous permissions, sandboxed in Docker.
# Start a new session
cd ~/my-project
claudei
# Resume your last session
claudei resume
# Check what's running
claudei ps
# Stop when done (keeps container for resume)
claudei stopEach project gets its own isolated container:
# Terminal 1
cd ~/backend && claudei
# Terminal 2
cd ~/frontend && claudei
# See all running containers
claudei ps Claude containers:
● claude-backend-1a2b3c4d
Up 12 minutes
/Users/you/backend
● claude-frontend-5e6f7a8b
Up 3 minutes
/Users/you/frontend
| Command | Description |
|---|---|
claudei |
Build + run + launch Claude Code (all-in-one) |
claudei resume |
Resume the most recent session |
| Command | Description |
|---|---|
claudei stop [path] |
Stop this project's container (keeps it for resume) |
claudei rm [path] |
Stop and remove container permanently |
claudei stop-all |
Stop all Claude containers |
claudei build |
Build the Docker image |
claudei rebuild |
Force rebuild the image from scratch |
claudei clean |
Stop everything and remove the image |
claudei nuke |
Remove all containers, images, and build cache |
| Command | Description |
|---|---|
claudei claude [path] |
Attach Claude Code to a running container |
claudei shell [path] |
Open bash inside the container |
claudei login [path] |
Authenticate with Anthropic (OAuth) |
claudei logs [path] |
Tail container logs |
| Command | Description |
|---|---|
claudei status [path] |
Show container, image, and auth status |
claudei ps |
List all Claude containers (running and stopped) |
claudei update |
Check for updates and install the latest version |
claudei version |
Show current version |
All commands default to the current working directory if [path] is omitted.
┌──────────────────────────────────────────────────────────────┐
│ Your machine │
│ │
│ ~/.claude ──────────────┐ (auth, sessions, settings) │
│ ~/.claude.json ─────────┼── (config) │
│ ~/my-project ───────────┼──────────────────────┐ │
│ │ │ │
│ ┌────────────────────────┼──────────────────────┼───────┐ │
│ │ Docker container │ │ │ │
│ │ v v │ │
│ │ /home/coder/.claude /workspace │ │
│ │ /home/coder/.claude.json │ │
│ │ │ │
│ │ Claude Code (--dangerously-skip-permissions) │ │
│ │ │ │
│ │ Can: read/write project, install packages, run cmds │ │
│ │ Cannot: touch host system, access other projects │ │
│ └───────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────┘
| File | Purpose |
|---|---|
claude-docker |
CLI script (symlinked as claudei and claude-isolated) |
Dockerfile-claude |
Debian slim image with Claude Code (native installer) |
entrypoint.sh |
Maps host UID/GID into the container so files are owned by you |
install.sh |
One-line installer (curl | bash) |
- Builds the Docker image (first run only) -- Debian slim with Node.js, Python, Git, build-essential, vim, jq, clipboard utilities, and Claude Code CLI
- Starts a container named
claude-<dirname>-<hash>(hash derived from the full project path) with your project mounted at/workspace - Maps your UID/GID into the container so files created by Claude are owned by you on the host
- Mounts
~/.claudefor shared authentication across all containers - Launches Claude Code with
--dangerously-skip-permissionsinside the sandbox
Containers run with these protections by default:
--pids-limit 1024-- prevents fork bombs from affecting the host--memory 8g-- prevents runaway processes from exhausting host memory- Numeric UID/GID validation in the entrypoint to prevent injection attacks
- Debian slim base image with minimal attack surface
Claude Isolated checks for new release tags once every 24 hours via git ls-remote --tags (a lightweight network call that fetches no objects). When a newer version is available, you'll see a notice before Claude Code launches:
┌──────────────────────────────────────────────────────┐
│ Update available v0.1.0 → v0.2.0 │
│ Run claudei update to install the latest version. │
└──────────────────────────────────────────────────────┘
- The check runs at most once per day — it will not slow down subsequent launches.
- The result is cached in
.update_checkinside the installation directory (~/.claude-isolated). - The notification is informational only — it will never interrupt or block your workflow.
- To upgrade, run
claudei update. To also update Claude Code inside containers, follow up withclaudei rebuild.
Cannot connect to the Docker daemon
Start Docker Desktop or the Docker daemon, then retry.
# If /usr/local/bin is not writable, the installer uses sudo automatically.
# You can also install to a custom location:
ln -sf "$(pwd)/claude-docker" ~/.local/bin/claudeiEach container is named claude-<dirname>-<hash> where the hash is derived from the full absolute path of the project directory. This means two projects with the same directory name (e.g. ~/code/client-a/api and ~/code/client-b/api) get separate containers automatically. The container name is printed before every session so you always know which sandbox you're in.
The Claude Code CLI is baked into the Docker image. To get the latest version:
claudei rebuildThis shouldn't happen. The entrypoint maps your host UID/GID. If it does, check that Docker is passing through HOST_UID and HOST_GID correctly:
claudei shell
id # should show your UID/GIDclaudei clean # remove all containers + image
claudei uninstall # remove CLI symlinks
rm -rf ~/.claude-isolated # remove the repo cloneYour project files and ~/.claude credentials are never touched.
Contributions are welcome! Please open an issue or submit a pull request.
git clone https://github.com/coder-pm/claude-isolated.git
cd claude-isolated
# Make your changes on main, test locally
./claude-docker start ~/some-test-projectReleases are cut by tagging a commit on main:
git tag v0.2.0
git push --tagsThe installer and updater both resolve the latest semver tag automatically. No release branch is needed.
Claude Code sandbox | Docker isolation for AI coding agents | Safe --dangerously-skip-permissions | Autonomous AI development | Vibe coding without risk