container
Health Gecti
- License — License: BSD-3-Clause
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Community trust — 274 GitHub stars
Code Basarisiz
- rm -rf — Recursive force deletion command in package.json
- os.homedir — User home directory access in scripts/postinstall.js
- fs module — File system access in scripts/postinstall.js
Permissions Gecti
- Permissions — No dangerous permissions requested
This tool creates an isolated Docker environment to safely run AI coding assistants like OpenCode, Codex, and Claude Code with full permissions. It handles container management and config mounting via a global CLI.
Security Assessment
Risk: Medium. The tool is designed to wrap AI agents and execute shell commands, which inherently involves process spawning (`spawnSync` in `src/docker.ts`) and accessing your user home directory (`os.homedir` in `src/config.ts` and `src/mounts.ts`). This is expected behavior for copying configurations (like `~/.claude` or `~/.codex`) into the Docker container. However, the scan flagged recursive force deletion commands (`rm -rf`) in `package.json` and `scripts/cleanup.sh`. While likely used for routine cleanup operations, `rm -rf` commands always warrant caution. File system access occurs during `postinstall.js`. No hardcoded secrets or dangerous permission requests were found.
Quality Assessment
The project is actively maintained, with its last push occurring today. It has a solid community backing with 203 GitHub stars and uses the permissive BSD-3-Clause license. The repository is well-documented, providing clear installation steps, migration guides, and usage commands.
Verdict
Use with caution—while the tool is well-made and uses Docker for isolation, its reliance on `rm -rf` and broad home directory access requires trusting the maintainer.
Safely run OpenCode, Codex, Claude Code with full permissions.
container: Isolated Docker environments for your autonomous coding harnesses.
Simple. Lightweight. Secure.
Quickstart
Prerequisites
- Docker or Podman — Docker Desktop/Engine or Podman
- A POSIX-Compatible System — Linux, macOS, WSL
Installation
containeris available as an NPM package. Install with:npm install -g @aerovato/containerRun
container init(interactive onboarding). It will:- Detect installed harnesses (Claude Code, OpenCode, etc.)
- Migrate your existing configs
- Let you choose Docker or Podman
- Configure SSH and git mounts
Accept the prompt to build the image (first build can take 5+ minutes).
You're done. container is ready to use.
Shameless Self-Promotion
Try Nitro, a simple and efficient Bash harness. 11x cheaper, 75x more efficient than Claude Code for simple Bash tasks.
npm install -g @aerovato/nitro
Usage
Navigate to any project and run container:
cd /path/to/your/project
container
Inside the container: Start your harness and develop like normal.
opencode # Start OpenCode
npm install <package> # Persists per container
# ...
Your project is mounted at /root/<project-name>. Changes persist across sessions. Harness configs are shared across all containers.
You may want to periodically rebuild the image to update harnesses and packages:
container build # Trigger full rebuild
container build harness # Rebuild harnesses and user packages
container build user # Rebuild user packages
Common Commands
container # Enter container for current directory
container run /path/to/project # Enter for a specific project
container run /path -- -p 8080:80 # Pass extra runtime flags
container list # List all containers
container stop # Stop container
container remove # Remove container
container init # Re-run onboarding
Customization
Customization is done through two places:
1. ~/.code-container/Dockerfile.User
Add packages and setup steps here. Example:
FROM localhost/aerovato/container-v3-harness:latest
RUN npm install -g bun typescript
RUN pip install requests
RUN npx opencode plugin opencode-quotes-plugin -g
After editing, run container build user to rebuild the image
2. ~/.code-container/settings.json
Primary configuration file. See docs/Settings.md for more details.
Common settings:
enabledHarnesses— which harnesses to installruntime—"docker"or"podman"dockerfileCore— advanced control over the base imagesystemMounts— gitconfig and SSH mountsdockerRunFlags/dockerExecFlags— extra runtime flags
Hint: Clone this repo and ask your agent to configure for you.
For V2 Users
After upgrading to V3, all configurations will be archived to ~/.code-container/archive. To migrate configurations over, ask your agent to read and perform the steps in docs/Migration.md.
Features
- Isolation — Destructive actions stay inside the container
- 3-Stage Builds — Core → Harness → User (rebuild only what changed)
- Configurable Runtime — Docker or Podman
- Harness Packs — Choose exactly which tools to enable
- Persistent State — Workspaces and configs survive across sessions
- Simultaneous Work — Multiple agents can safely work on the same project
Security
containerprotects your host filesystem fromrm -rfs- Packages and configurations inside containers stay localized
- Isolation prevents cross-contamination across containers
Important limitations:
containerdoes not protect against prompt injection or agent misalignment- Network access is available inside the container
- Harness configs will be mounted inside container
Uninstall
npm uninstall -g @aerovato/container
rm -rf ~/.code-container
Consider backing up the harness configurations in ~/.code-container/configs before removing.
Yorumlar (0)
Yorum birakmak icin giris yap.
Yorum birakSonuc bulunamadi