YOLO-cage:專為安全與控制而設計的AI程式碼代理
YOLO-cage 是一個基於 Kubernetes 的 AI 程式碼代理沙盒,透過實施分支隔離、敏感資訊掃描和人工審核合併等機制,來防止未經授權的資訊洩露和代理自行合併,從而優先考慮安全性。
Navigation Menu
Search code, repositories, users, issues, pull requests...
Provide feedback
We read every piece of feedback, and take your input very seriously.
Saved searches
Use saved searches to filter your results more quickly
To see all available qualifiers, see our documentation.
Safe, autonomous coding agents in Kubernetes. Branch isolation, secret scanning, human-gated merges.
License
Uh oh!
There was an error while loading. Please reload this page.
borenstein/yolo-cage
Folders and files
Latest commit
History
Repository files navigation
yolo-cage: AI coding agents that can't exfiltrate secrets or merge their own PRs
Disclaimer: This reduces risk but does not eliminate it. Do not use with production secrets or credentials where exfiltration would be catastrophic. See the license section below.
A Kubernetes sandbox for running Claude Code in YOLO mode (--dangerously-skip-permissions). Egress filtering blocks secret exfiltration. Git/GitHub controls enforce "agent proposes, human disposes":
Get Started
Option A: Deploy and Get to Work
Ready to go? → Setup Guide
Option B: Torture-Test It First
Need to convince yourself (or your security team) it actually works?
→ Security Audit Guide - Fork this repo, deploy yolo-cage against itself, run escape tests. Includes a prompt that asks an AI agent to try to break out of the cage defined by the repo it's reading.
The Problem
You want multiple AI agents working on your codebase in parallel, each on different feature branches, without babysitting permission prompts. But YOLO mode feels irresponsible because agents have what Simon Willison calls the "lethal trifecta":
Any two are fine. All three create exfiltration risk.
The Solution
The agent is a proposer, not an executor. All the permission prompts that would normally interrupt autonomous development are deferred to a single review when the agent opens a PR.
Architecture
One pod per branch. Each agent gets its own isolated pod with:
Git Shim Architecture
Claude Code uses git normally - all enforcement is transparent. A shim replaces /usr/bin/git and delegates to the dispatcher:
Documentation
What Gets Blocked
Secrets:
Domains:
GitHub API:
Git Operations:
Known Limitations
Requirements
License
MIT. See LICENSE for full text.
Important: This software is provided "as is", without warranty of any kind. From the license:
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
Credits
Designed by David Bruce Borenstein; planned and implemented by Claude. The agent built its own containment infrastructure, which is either very aligned or very meta, depending on your perspective.
About
Safe, autonomous coding agents in Kubernetes. Branch isolation, secret scanning, human-gated merges.
Resources
License
Uh oh!
There was an error while loading. Please reload this page.
Stars
Watchers
Forks
Releases
Packages
0
Contributors
2
Languages
Footer
Footer navigation
相關文章