{"id":40157393,"url":"https://github.com/borenstein/yolo-cage","last_synced_at":"2026-02-01T16:05:10.047Z","repository":{"id":331792422,"uuid":"1131976249","full_name":"borenstein/yolo-cage","owner":"borenstein","description":"AI coding agents that can't exfiltrate secrets or merge their own PRs.","archived":false,"fork":false,"pushed_at":"2026-01-29T02:01:23.000Z","size":1809,"stargazers_count":102,"open_issues_count":6,"forks_count":4,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-01-29T05:47:35.804Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/borenstein.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/security-audit.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-11T04:07:57.000Z","updated_at":"2026-01-28T21:56:21.000Z","dependencies_parsed_at":"2026-01-19T16:01:01.380Z","dependency_job_id":null,"html_url":"https://github.com/borenstein/yolo-cage","commit_stats":null,"previous_names":["borenstein/yolo-cage"],"tags_count":22,"template":false,"template_full_name":null,"purl":"pkg:github/borenstein/yolo-cage","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/borenstein%2Fyolo-cage","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/borenstein%2Fyolo-cage/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/borenstein%2Fyolo-cage/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/borenstein%2Fyolo-cage/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/borenstein","download_url":"https://codeload.github.com/borenstein/yolo-cage/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/borenstein%2Fyolo-cage/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28981893,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-01T15:35:50.179Z","status":"ssl_error","status_checked_at":"2026-02-01T15:35:38.075Z","response_time":56,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-19T16:00:16.923Z","updated_at":"2026-02-01T16:05:10.040Z","avatar_url":"https://github.com/borenstein.png","language":"Python","readme":"# yolo-cage: autonomous coding agents that do no harm\n\nYou're a responsible engineer. You'd never just let an AI run roughshod through your most sensitive systems and codebases. \n\nThat's why you'd **never** just shut off the safeguards for a tool like Claude Code. It asks permission for every dangerous action! Safe!\n\nSo you wait. And you answer. Decision fatigue sets in. And that's when it happens.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/disaster.gif\" width=\"600\" alt=\"Agent deletes entire repo\"\u003e\n\u003c/p\u003e\n\nPermission prompts neglect the weakest part of the thread model: a tired user. What if we could empower the agent while limiting its blast radius, thus deferring your decisions until PR review?\n\nThat would be great! And that would be yolo-cage.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/escape-blocked.gif\" width=\"600\" alt=\"Escape attempts blocked\"\u003e\n\u003c/p\u003e\n\n## Try it\n\n```bash\ncurl -fsSL https://github.com/borenstein/yolo-cage/releases/latest/download/yolo-cage -o yolo-cage\nchmod +x yolo-cage \u0026\u0026 sudo mv yolo-cage /usr/local/bin/\nyolo-cage build --interactive --up\n```\n\nThen create a [sandbox](docs/glossary.md#sandbox) and start coding:\n\n```bash\nyolo-cage create feature-branch\nyolo-cage attach feature-branch   # Attach to agent in tmux\n```\n\n**Prerequisites:** Vagrant with libvirt (Linux) or QEMU (macOS, experimental), 8GB RAM, 4 CPUs, GitHub PAT (`repo` scope), Claude account. See [setup docs](docs/setup.md) for details.\n\n---\n\n## What gets blocked\n\n**Secrets in HTTP/HTTPS** - [egress proxy](docs/glossary.md#egress-proxy) scans request bodies, headers, URLs:\n- `sk-ant-*`, `AKIA*`, `ghp_*`, SSH private keys, generic credential patterns\n\n**Git operations** - [dispatcher](docs/glossary.md#dispatcher) enforces [branch isolation](docs/glossary.md#branch-isolation):\n- Push to any branch except the [assigned branch](docs/glossary.md#assigned-branch)\n- `git remote`, `git clone`, `git config`, `git credential`\n\n**GitHub CLI** - dispatcher blocks dangerous commands:\n- `gh pr merge`, `gh repo delete`, `gh api`\n\n**GitHub API** - proxy blocks at HTTP layer:\n- `PUT /repos/*/pulls/*/merge`, `DELETE /repos/*`, webhook modifications\n\n**Exfiltration sites**: pastebin.com, file.io, transfer.sh, etc.\n\nSee [Architecture](docs/architecture.md) for the full threat model.\n\n---\n\n## How it works\n\n```\n┌──────────────────────────────────────────────────────────────────────────┐\n│ Runtime (Vagrant VM + MicroK8s)                                          │\n│                                                                          │\n│  ┌────────────────────────────────────────────────────────────────────┐  │\n│  │ Sandbox                                                            │  │\n│  │                                                                    │  │\n│  │  Agent (Claude Code in YOLO mode)                                  │  │\n│  │       │                                                            │  │\n│  │       ├── git/gh ──▶ Dispatcher ──▶ GitHub                         │  │\n│  │       │              • Branch isolation enforcement                │  │\n│  │       │              • TruffleHog pre-push scanning                │  │\n│  │       │                                                            │  │\n│  │       └── HTTP/S ──▶ Egress Proxy ──▶ Internet                     │  │\n│  │                      • Secret scanning (LLM-Guard)                 │  │\n│  │                      • Domain blocklist                            │  │\n│  └────────────────────────────────────────────────────────────────────┘  │\n│                                                                          │\n└──────────────────────────────────────────────────────────────────────────┘\n```\n\nOne [sandbox](docs/glossary.md#sandbox) per branch. [Agents](docs/glossary.md#agent) can only push to their [assigned branch](docs/glossary.md#assigned-branch). All outbound traffic is filtered.\n\n---\n\n## CLI\n\n| Command | Description |\n|---------|-------------|\n| `create \u003cbranch\u003e` | Create sandbox |\n| `attach \u003cbranch\u003e` | Attach (Claude in tmux) |\n| `shell \u003cbranch\u003e` | Attach (bash) |\n| `list` | List sandboxes |\n| `delete \u003cbranch\u003e` | Delete sandbox |\n| `port-forward \u003cbranch\u003e \u003cport\u003e` | Forward port from sandbox |\n| `up` / `down` | Start/stop VM |\n| `upgrade [--rebuild]` | Upgrade to latest version |\n| `version` | Show version |\n\n### Port forwarding\n\nAccess web apps running inside a [sandbox](docs/glossary.md#sandbox):\n\n```bash\nyolo-cage port-forward feature-x 8080           # localhost:8080 → sandbox:8080\nyolo-cage port-forward feature-x 9000:3000      # localhost:9000 → sandbox:3000\nyolo-cage port-forward feature-x 8080 --bind 0.0.0.0  # LAN accessible\n```\n\nSee [Configuration](docs/configuration.md) for proxy bypass, hooks, and resource limits.\n\n---\n\n## Documentation\n\n- **[Glossary](docs/glossary.md)** - Ubiquitous language and terminology\n- **[Architecture](docs/architecture.md)** - Threat model, design rationale\n- **[Configuration](docs/configuration.md)** - Egress policy, proxy bypass, hooks\n- **[Customization](docs/customization.md)** - Adding tools, resource limits\n- **[Security Audit](docs/security-audit.md)** - Escape testing guide\n\n---\n\n## Limitations\n\nThis reduces risk. It does not eliminate it.\n\n- **DNS exfiltration** - data encoded in DNS queries\n- **Timing side channels** - information leaked via response timing\n- **Steganography** - secrets hidden in images or binary data\n- **Sophisticated encoding** - bypassing pattern matching\n\nUse scoped credentials. Don't use production secrets where exfiltration would be catastrophic. See [Security Audit](docs/security-audit.md) to test it yourself.\n\n\u003c!-- TODO: Add links to security PRs once available --\u003e\n\n---\n\n## License\n\nMIT. See [LICENSE](LICENSE).\n","funding_links":[],"categories":["Sandboxing \u0026 Isolation"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fborenstein%2Fyolo-cage","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fborenstein%2Fyolo-cage","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fborenstein%2Fyolo-cage/lists"}