Stephan Schmidt - March 7, 2026

How to Run Claude Code in YOLO Mode Without Losing Your Credentials

Last week I counted. Over the course of a single afternoon session, I clicked “yes” in Claude Code over one hundred times. Yes, write this file. Yes, run this command. Yes, create this directory. And then there are three Claude Code CLIs running in three tmux panes at the same time. At some point you stop reading what you’re approving and just select yes . The EULA effect. Danger, Will Robinson!

YOLO mode does exist in Claude for a reason. Let Claude do the work without asking permission for every mkdir. But: Claude Code, running on your machine, can access everything and do everything over the next several hours until you look again. Most developers I talk to pick one of two bad options. Either they run YOLO and trust the AI (brave, stupid, pick one), or they keep clicking yes a hundred times a day.

There is a third option, which is running Claude Code in a devcontainer (with tradeoffs, there are always tradeoffs).

So I did take a look at the vast AI-jail landscape recently.

The simple wrappers – Bubblewrap, Landrun, Claude Sandbox on macOS – they work the way chroot jails worked twenty years ago. Restrict what the process can see and limit what it can touch. Bubblewrap can kill network access with --unshare-net, which is nice. Landrun only controls TCP port binding. Claude Sandbox on macOS restricts file writes. Then there’s Anthropic’s own Sandbox Runtime. HTTP/SOCKS5 proxy with domain rules, filesystem deny-read/write controls. But again no credential injection, no MITM proxying.

None of them can hide secrets from the AI, inject credentials where they’re needed, or audit what goes in and out. You can lock things down, file access at least, but you’re doing it manually, and the configuration is fiddly enough that you’ll probably get it wrong.

The ambitious tools are more interesting and more frustrating. Sandcat uses Docker Compose with WireGuard and a MITM proxy – it intercepts all traffic, substitutes secrets at the proxy level, enforces domain whitelists. On paper, this is exactly what you want (except lacking secret hiding). Matchlock runs Firecracker microVMs on Linux and uses Apple’s Virtualization framework on macOS. Agent-sandbox does MITM proxying with domain filtering and secret redaction.

With devcontainers you get a .devcontainer/devcontainer.json in your project, open it with the Dev Containers extension, and you’re inside a container. After that initial setup, every project with a devcontainer config just works.

Dev containers solve more problems than just YOLO. New developer joins the team? They open the project and they’re ready with devcontainers. No “install this version of Node, set up this database, configure this environment variable” ritual.

Customization annoyed me though. You want tmux in your container? (I NEED TMUX!) Edit the Dockerfile. You want ripgrep, fd, fzf, mdq – the tools Claude Code actually needs to be more productive? Edit the Dockerfile. You want a Go language server for LSP support? Edit the Dockerfile, install GVM, install gopls, hope it all works together. You’re happy and distribute the container in your team.

Now the maintainer of that dev container pushes an update. Your Dockerfile modifications? Gone. You’re back to hand-merging Dockerfile fragments.

So I built (Claude did ;-) sandcatter to fix this. It’s a simple, rudimentary plugin system for dev containers. Instead of editing Dockerfiles by hand, you run sandcatter apply .devcontainer tmux and it merges the right packages, config files, and environment variables into your existing container setup. It backs up everything before touching it, it’s idempotent (run it twice, nothing breaks), and it auto-detects whether you’re using Anthropic’s container or Sandcat’s Docker Compose setup.

sandcatter apply . tmux claude-tools – done. The claude-tools plugin installs all the CLI utilities that make Claude better: ripgrep, fd, fzf, yq, mdq. After an update of the container, run sandcatter again. Your customizations get reapplied cleanly on top.

For now I use Sandcat, the teams I work with use Anthropic.

But we will probably use e.g. ‘Landrun’ for non interactive, one shot, AI prompts. cd