Summary

cco (Claude Condom) is a security wrapper for AI code execution tools like Claude Code, safeguarding systems by automatically sandboxing AI interactions. It leverages native OS sandboxing (macOS sandbox-exec, Linux bubblewrap) or Docker, providing autonomous AI capabilities with contained side effects for developers.

How It Works

cco intelligently selects the optimal sandboxing backend: prioritizing lightweight, fast native OS tools or falling back to Docker for enhanced filesystem isolation. This design balances performance with security, ensuring AI models operate with necessary permissions within a controlled environment, preventing unintended system access or modifications.

Quick Start & Requirements

• Installation: curl -fsSL https://raw.githubusercontent.com/nikvdp/cco/master/install.sh | bash
• Prerequisites: Authenticated Claude Code (claude login), Bash, and a compatible sandbox backend (native OS tools or Docker).
• Usage: cco "your command" or cco --resume.
• Docs: See SECURITY.md for detailed security analysis.

Highlighted Details

• Supports multiple AI agents including Claude Code, OpenAI Codex, and others.
• Seamless macOS Keychain integration for credential management.
• Maintains native terminal feel with full responsiveness (SIGWINCH forwarding).
• Project-aware features like Git worktree support and repo-scoped persistent Docker containers.
• Full host network access is intentionally enabled for development servers and MCP communication.

Maintenance & Community

The repository welcomes contributions via pull requests. Specific details on maintainers, sponsorships, or community channels are not detailed in the README.

Licensing & Compatibility

MIT License. Permissive, allowing for commercial use and integration into closed-source projects.

Limitations & Caveats

Network security is not provided; AI has full network access for web requests and local service interaction. Experimental features like --allow-oauth-refresh reduce credential isolation. A known issue on macOS can cause token expiration mid-session, requiring manual re-authentication. Stdio-based MCP servers must be installed within the container. The --safe native mode, while enhancing isolation, may break tools requiring access to $HOME dotfiles.