Open source · Docker isolation · One command

AI runs free. Your system stays safe.

Run Claude Code with full autonomous power, safely sandboxed in Docker.

 $ curl -fsSL https://cleat.sh/install | bash

~ $ cleat

✔ Image ready (cached)

✔ Container started

✔ Auth shared

✔ Claude launched

Container: cleat-backend-a1b2c3d4

Project: ~/backend → /workspace

Caps:

mount: git, ssh, env, hooks

cloud: aws (lazy)

sandbox: docker (escapes)

Env: 3 from .cleat.env

Claude is analyzing your project...

❯ ▊

$ claude --dangerously-skip-permissions

⚠ Modifying /usr/local/bin/...

⚠ Overwriting /etc/hosts...

⚠ Removing ~/.ssh/config...

✖ System unbootable. Restore from backup.

I let Claude run overnight. It bricked my Mac. So I built Cleat.

Same power. Smaller blast radius.

	Without isolation	With Cleat
Same power
Edit project files	✓	✓
Clipboard to host	✓	✓ bridged
Browser auth (OAuth)	✓	✓ bridged
Install packages	⚠ your system	✓ contained
Run any command	⚠ your system	✓ contained
Test Docker apps	⚠ your system	✓ opt-in via `--cap docker`
Smaller blast radius
Access other projects	⚠ exposed	✓ blocked
Modify your system	⚠ exposed	✓ blocked
Read ~/.ssh, credentials	⚠ exposed	✓ blocked
Safe to leave overnight	⚠ risky	✓ yes

Architecture

Your machine. Docker container. Clean boundary.

Your machine

~/.claude ───────┐ → (auth, settings)

~/my-project ──────┼────┐ → (project files)

~/.gitconfig ─────┼────┤ → (read-only, opt-in)

Docker container

/home/coder/.claude

/workspace

caps:

mount: git, ssh, env, hooks

cloud: aws (lazy)

sandbox: docker (escapes)

Claude Code (full permissions)

Can: read/write project, install packages, run cmds

Cannot: touch host, access other projects

Everything else is untouched.

Why not just write a Dockerfile? You could. But then you handle UID/GID mapping, clipboard bridging, browser auth, hook forwarding, host connectivity, session persistence, per-project container naming, and a dozen edge cases. Cleat handles all of it in one command.

Features

One command. No moving parts.

$ cleat

✔ Image ready (cached)

✔ Container started

✔ Auth shared

✔ Claude launched

No config. No setup. Just go.

$ cleat ps

Cleat containers:

● cleat-api-a1b2c3d4

Up 2 hours

~/projects/api

● cleat-web-e5f6a7b8

Up 45 minutes

~/projects/web

● cleat-docs-c9d0e1f2

Exited (0) 5 hours ago

~/projects/docs

Resume with: cd <dir> && cleat resume

$ cleat stop

✔ Session ended — resume with: cleat resume

$ cleat resume

✔ Session resumed

Back where you left off.

$ cleat

Claude working autonomously...

┌──────────────────────────┐

│ 8 hours later │

│ 47 files changed │

│ All tests passing │

│ Host system: untouched ✔ │

└──────────────────────────┘

❯ copy the API key to clipboard

● Bash(echo -n "sk-…" | pbcopy 2>/dev/null || echo -n "sk-…" | xclip …)

⎿ (No output)

● Done — "sk-…" is in your clipboard.

Bridged to host. No X11. Zero config.

$ cleat config

Cleat — Capabilities

Scope: global (~/.config/cleat/config)

▸ [✔] git Mount ~/.gitconfig (read-only) for commit identity

[✔] ssh Mount ~/.ssh (read-only) and forward SSH agent

[·] env Load env vars from ~/.config/cleat/env and .cleat.env

[✔] hooks Run your Claude Code hooks on the host (global + project)

[·] gh GitHub CLI auth (persists across rm/nuke/rebuild)

[·] docker Host Docker socket (breaks sandbox) to test Docker apps

[·] az Azure CLI auth (lazy install ~250 MB on first use; auth persists)

[·] aws AWS CLI auth (lazy install ~150 MB on first use; auth persists)

[·] gcloud Google Cloud CLI auth (lazy install ~200 MB on first use; auth persists)

↑/↓ navigate ␣ toggle ⏎ save q cancel

$ cleat shell

▸ Container cleat-api-a1b2c3d4

coder@a1b2c3d4e5f6:/workspace$

Drop into bash. Debug anything.

Same container, same state.

$ cleat config --enable hooks

✔ hooks enabled

Claude session ended →

✔ osascript: "Session ended"

Your hooks, running on your host.

Global + project hooks — just work.

$ cleat --cap docker

! Docker socket mounted

✔ Claude launched

$ docker compose up -d

✔ Started api, db, redis

$ docker compose exec app npm test

✔ All tests passed

Host daemon. Real containers.

Claude, still sandboxed.

$ cleat --cap az --cap aws --cap gcloud

✔ Container started

⠋ Installing Azure CLI (one-time, ~30s)

✔ Azure CLI installed

⠋ Installing AWS CLI (one-time, ~20s)

✔ AWS CLI installed

⠋ Installing Google Cloud CLI (one-time, ~25s)

✔ Google Cloud CLI installed

✔ Claude launched

$ cleat resume # next time

✔ Claude launched (instant — already installed)

Cloud CLIs land on demand.

Auth persists on your host.

$ cd cloned-repo && cleat

┌───────────────────────────────────────┐

│ This project's .cleat file requests │

│ capabilities that extend what the │

│ sandbox can access on your host. │

│ │

│ Requested: │

│ │

│ docker Host Docker socket │

│ env Load .cleat.env env vars │

│ │

│ Project: ~/cloned-repo │

└───────────────────────────────────────┘

Trust this project's .cleat? [y/N]: _

Cloned a repo? Caps don't auto-activate.

You approve. Cleat remembers.

Building with a team?

Something bigger is coming.

Get notified

Run anything. Break nothing.

Start sandboxing your AI agents in 30 seconds.

Because you shouldn't need a Time Machine backup to use AI.

Install Cleat Read the docs

 $ curl -fsSL https://cleat.sh/install | bash