cleat

Open source · Docker isolation · One command

AI runs free. Your system stays safe.

Run Claude Code with full autonomous power, safely sandboxed in Docker.

 $ curl -fsSL https://cleat.sh/install | bash

One command

Run it. It's already contained.

~ $ cleat

✔ Image ready (cached)

✔ Container started

✔ Auth shared

✔ Claude launched

Container: cleat-backend-a1b2c3d4

Project: ~/backend (same path, sandboxed)

Caps:

mount: git, ssh, env, hooks, gh

sandbox: docker (breaks isolation)

Claude is analyzing your project...

❯ ▊

I let Claude run overnight. It bricked my Mac. So I built Cleat.

Same power. Smaller blast radius.

	Without isolation	With Cleat
Same power
Edit project files	✓	✓
Clipboard to host	✓	✓ bridged
Browser auth (OAuth)	✓	✓ bridged
Install packages	⚠ your system	✓ contained
Run any command	⚠ your system	✓ contained
Test Docker apps	⚠ your system	✓ opt-in via `--cap docker`
Smaller blast radius
Access other projects	⚠ exposed	✓ blocked
Modify your system	⚠ exposed	✓ blocked
Read ~/.ssh, credentials	⚠ exposed	✓ blocked
Claude config & approvals	⚠ shared, corruptible	✓ per-project
Safe to leave overnight	⚠ risky	✓ yes

Architecture

Your machine. Docker container. Clean boundary.

Your machine

~/.claude ───────┐ → (auth, settings)

~/my-project ──────┼────┐ → (project files)

~/.gitconfig ─────┼────┤ → (read-only, opt-in)

Docker container

/home/coder/.claude

/workspace

caps:

mount: git, ssh, env, hooks, gh

sandbox: docker (breaks isolation)

Claude Code (full permissions)

Can: read/write project, install packages, run cmds

Cannot: touch host or other projects (by default)

Everything else is untouched.

Why not just write a Dockerfile? You could. But then you handle UID/GID mapping, clipboard bridging, browser auth, hook forwarding, host connectivity, session persistence, per-project container naming, and a dozen edge cases. Cleat handles all of it in one command.

Features

One command. Everything wired up.

$ cleat

✔ Image ready (cached)

✔ Container started

✔ Auth shared

✔ Claude launched

No config. No setup. Just go.

$ cleat ps

Cleat containers:

● cleat-api-a1b2c3d4

Up 2 hours

~/projects/api

● cleat-web-e5f6a7b8

Up 45 minutes

~/projects/web

● cleat-docs-c9d0e1f2

Exited (0) 5 hours ago

~/projects/docs

Resume with: cd <dir> && cleat resume

$ cleat stop

✔ Session ended. Resume with: cleat resume

$ cleat resume

✔ Session resumed

Back where you left off.

$ cleat

Claude working autonomously...

┌──────────────────────────┐

│ 8 hours later │

│ 47 files changed │

│ All tests passing │

│ Host system: untouched ✔ │

└──────────────────────────┘

❯ copy the API key to clipboard

● Bash(echo -n "sk-…" | pbcopy 2>/dev/null || echo -n "sk-…" | xclip …)

⎿ (No output)

● Done. "sk-…" is in your clipboard.

Bridged to host. No X11. Zero config.

$ cleat config

Cleat Capabilities

Scope: global (~/.config/cleat/config)

▸ [✔] git Mount ~/.gitconfig (read-only) for commit identity

[✔] ssh Mount ~/.ssh (read-only) and forward SSH agent

[·] env Load env vars from ~/.config/cleat/env and .cleat.env

[✔] hooks Run your Claude Code hooks on the host (global + project)

[·] gh GitHub CLI auth (persists across rm/nuke/rebuild)

[·] docker Host Docker socket (breaks sandbox) to test Docker apps

↑/↓ navigate ␣ toggle ⏎ save q cancel

$ cleat shell

▸ Container cleat-api-a1b2c3d4

coder@a1b2c3d4e5f6:/workspace$

Drop into bash. Debug anything.

Same container, same state.

$ cleat config --enable hooks

✔ hooks enabled

Claude session ended →

✔ osascript: "Session ended"

Your hooks, running on your host.

Global + project hooks just work.

$ cleat --cap docker

! Docker socket mounted

✔ Claude launched

$ docker compose up -d

✔ Started api, db, redis

$ docker compose exec app npm test

✔ All tests passed

Host daemon. Real containers.

The socket is a host bridge, opt-in.

$ cleat upgrade-claude

⠋ Upgrading Claude Code (latest)...

✔ Claude Code upgraded

▸ Claude Code 2.1.40 → 2.1.156

Recreate cleat-backend-a1b2c3d4 now to use it? [Y/n] _

Bump bundled Claude Code. No rebuild.

Your sessions and auth stay put.

$ cd cloned-repo && cleat

┌───────────────────────────────────────┐

│ This project's .cleat file requests │

│ capabilities that extend what the │

│ sandbox can access on your host. │

│ │

│ Requested: │

│ │

│ docker Host Docker socket │

│ env Load .cleat.env env vars │

│ │

│ Project: ~/cloned-repo │

└───────────────────────────────────────┘

Trust this project's .cleat? [y/N]: _

Cloned a repo? Caps don't auto-activate.

You approve. Cleat remembers.

Building with a team?

Something bigger is coming.

Get notified

Run anything. Break nothing.

Start sandboxing Claude Code with one command.

Because you shouldn't need a Time Machine backup to use AI.

Install Cleat View on GitHub

 $ curl -fsSL https://cleat.sh/install | bash