MCPcopy Index your code
hub / github.com/borenstein/yolo-cage

github.com/borenstein/yolo-cage @v0.2.19

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.2.19 ↗ · + Follow
469 symbols 1,397 edges 61 files 283 documented · 60% updated 5mo agov0.2.19 · 2026-02-01★ 1096 open issues
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

yolo-cage: autonomous coding agents that do no harm

You're a responsible engineer. You'd never just let an AI run roughshod through your most sensitive systems and codebases.

That's why you'd never just shut off the safeguards for a tool like Claude Code. It asks permission for every dangerous action! Safe!

So you wait. And you answer. Decision fatigue sets in. And that's when it happens.

Agent deletes entire repo

Permission prompts neglect the weakest part of the thread model: a tired user. What if we could empower the agent while limiting its blast radius, thus deferring your decisions until PR review?

That would be great! And that would be yolo-cage.

Escape attempts blocked

Try it

curl -fsSL https://github.com/borenstein/yolo-cage/releases/latest/download/yolo-cage -o yolo-cage
chmod +x yolo-cage && sudo mv yolo-cage /usr/local/bin/
yolo-cage build --interactive --up

Then create a sandbox and start coding:

yolo-cage create feature-branch
yolo-cage attach feature-branch   # Attach to agent in tmux

Prerequisites: Vagrant with libvirt (Linux) or QEMU (macOS, experimental), 8GB RAM, 4 CPUs, GitHub PAT (repo scope), Claude account. See setup docs for details.


What gets blocked

Secrets in HTTP/HTTPS - egress proxy scans request bodies, headers, URLs: - sk-ant-*, AKIA*, ghp_*, SSH private keys, generic credential patterns

Git operations - dispatcher enforces branch isolation: - Push to any branch except the assigned branch - git remote, git clone, git config, git credential

GitHub CLI - dispatcher blocks dangerous commands: - gh pr merge, gh repo delete, gh api

GitHub API - proxy blocks at HTTP layer: - PUT /repos/*/pulls/*/merge, DELETE /repos/*, webhook modifications

Exfiltration sites: pastebin.com, file.io, transfer.sh, etc.

See Architecture for the full threat model.


How it works

┌──────────────────────────────────────────────────────────────────────────┐
│ Runtime (Vagrant VM + MicroK8s)                                          │
│                                                                          │
│  ┌────────────────────────────────────────────────────────────────────┐  │
│  │ Sandbox                                                            │  │
│  │                                                                    │  │
│  │  Agent (Claude Code in YOLO mode)                                  │  │
│  │       │                                                            │  │
│  │       ├── git/gh ──▶ Dispatcher ──▶ GitHub                         │  │
│  │       │              • Branch isolation enforcement                │  │
│  │       │              • TruffleHog pre-push scanning                │  │
│  │       │                                                            │  │
│  │       └── HTTP/S ──▶ Egress Proxy ──▶ Internet                     │  │
│  │                      • Secret scanning (LLM-Guard)                 │  │
│  │                      • Domain blocklist                            │  │
│  └────────────────────────────────────────────────────────────────────┘  │
│                                                                          │
└──────────────────────────────────────────────────────────────────────────┘

One sandbox per branch. Agents can only push to their assigned branch. All outbound traffic is filtered.


CLI

Command Description
create <branch> Create sandbox
attach <branch> Attach (Claude in tmux)
shell <branch> Attach (bash)
list List sandboxes
delete <branch> Delete sandbox
port-forward <branch> <port> Forward port from sandbox
up / down Start/stop VM
upgrade [--rebuild] Upgrade to latest version
version Show version

Port forwarding

Access web apps running inside a sandbox:

yolo-cage port-forward feature-x 8080           # localhost:8080 → sandbox:8080
yolo-cage port-forward feature-x 9000:3000      # localhost:9000 → sandbox:3000
yolo-cage port-forward feature-x 8080 --bind 0.0.0.0  # LAN accessible

See Configuration for proxy bypass, hooks, and resource limits.


Documentation


Limitations

This reduces risk. It does not eliminate it.

  • DNS exfiltration - data encoded in DNS queries
  • Timing side channels - information leaked via response timing
  • Steganography - secrets hidden in images or binary data
  • Sophisticated encoding - bypassing pattern matching

Use scoped credentials. Don't use production secrets where exfiltration would be catastrophic. See Security Audit to test it yourself.


License

MIT. See LICENSE.

Core symbols most depended-on inside this repo

classify
called by 33
dispatcher/commands.py
die
called by 30
yolo_cage/output.py
classify_gh
called by 29
dispatcher/gh_commands.py
log_success
called by 18
yolo_cage/output.py
execute
called by 17
dispatcher/gh.py
log_step
called by 16
yolo_cage/output.py
get_checkout_target
called by 10
dispatcher/policy.py
check_push_allowed
called by 10
dispatcher/policy.py

Shape

Method 207
Function 142
Class 73
Route 47

Languages

Python100%

Modules by API surface

dispatcher/tests/test_policy.py59 symbols
dispatcher/tests/test_commands.py45 symbols
dispatcher/tests/test_gh_commands.py42 symbols
tests/test_instances.py38 symbols
dispatcher/app.py25 symbols
dispatcher/tests/test_hooks.py24 symbols
dispatcher/tests/test_app_gh.py23 symbols
yolo_cage/host/instances.py16 symbols
dispatcher/tests/test_gh.py16 symbols
yolo_cage/host/vagrant.py10 symbols
yolo_cage/errors.py10 symbols
dispatcher/models.py9 symbols

For agents

$ claude mcp add yolo-cage \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page