Claude Code ships with a --dangerously-skip-permissions flag (affectionately dubbed “YOLO mode”) that lets the model run shell commands without asking you first. It’s exhilarating. It’s terrifying. It’s also named with the quiet desperation of a legal team that lost a fight.
The pitch is simple: let Claude iterate faster by removing the permission prompts… But, you’re handing root-equivalent agency to an LLM that might decide your dotfiles are a personal affront.
The solution: Docker. Sandbox the chaos.
Attempt 1: Docker’s Official Sandbox
Docker and Anthropic have a partnership: docker sandbox run claude. It’s secure, blessed, and utterly inflexible. You can’t mount your own ~/.claude directory. No custom configs. No persistent history. No CLAUDE.md system prompts.
Verdict: Great for drive-by usage, useless for power users.
Attempt 2: The One-Liner
The naive approach:
docker run -it --rm -v "$PWD":/app -w /app node:22 \
npx @anthropic-ai/claude-code --dangerously-skip-permissionsIt works.
It’s also painfully slow. Every invocation downloads and installs Claude from scratch. For a tool you want to reach for constantly, this friction kills the vibe. It also needed me to login every time I rebuilt the container.
Verdict: Too slow for daily use.
Attempt 3: The Bun Optimization
Bun is fast. bun x should be faster than npx. Let’s try:
docker run -it --rm -v "$PWD":/app -w /app oven/bun \
bun x @anthropic-ai/claude-code --dangerously-skip-permissionsThe issues:
- Running as root? Claude refuses:
Cannot run as root. - Running as user
bun?EACCESerrors installing packages. - Mounting host credentials? UID mismatch (1000 vs 501) blocks file reads.
Verdict: We need to run as root but convince Claude it’s safe.
Attempt 3.5: The IS_SANDBOX=1 Discovery
I found an environment variable: IS_SANDBOX=1. It bypasses the root check.
docker run -it --rm -e IS_SANDBOX=1 -v "$PWD":/app -w /app oven/bun \
bun x @anthropic-ai/claude-code --dangerously-skip-permissionsNew error:
Command not found: gitBun’s image is minimal. Claude panics without git because it can’t determine repo status.
Verdict: One-liners are dead. Time for a custom image.
Attempt 4: The Custom Dockerfile
FROM oven/bun:latest
RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/*
RUN bun add -g @anthropic-ai/claude-code
ENV IS_SANDBOX=1
ENTRYPOINT ["claude"]Build it:
docker build -t claude-pro .Run it:
docker run -it --rm -v "$PWD":/app -w /app claude-pro --dangerously-skip-permissionsIt works! But Claude is… inefficient. It’s using grep, find, and cat for everything. These tools are fine, but they’re verbose and token-expensive compared to modern alternatives.
Verdict: Functional, but leaving performance on the table.
The Modern Unix Toolbelt
Let’s give Claude better tools. ripgrep is faster than grep. fd is faster than find. bat is cat with syntax highlighting. jq for JSON.
FROM oven/bun:latest
RUN apt-get update && apt-get install -y \
git \
ripgrep \
fd-find \
bat \
jq \
&& rm -rf /var/lib/apt/lists/*
# Debian names these differently
RUN ln -s $(which fdfind) /usr/local/bin/fd && \
ln -s $(which batcat) /usr/local/bin/bat
RUN bun add -g @anthropic-ai/claude-code
ENV IS_SANDBOX=1
ENTRYPOINT ["claude"]I also tried adding eza, gh, and other fancy tools. This required third-party repos, GPG keys, and broke the build with signing errors.
Verdict: Stick to what’s in the Debian repos.
The Color Crisis
The terminal looked washed out. Muted colors. Blocky gradients. Node.js inside Docker doesn’t trust that the terminal supports True Color.
The fix:
ENV FORCE_COLOR=3
ENV TERM=xterm-256colorVerdict: Vanity matters.
The Login Loop (Final Boss)
Mounting host credentials via -v ~/.claude:/root/.claude was flaky. Claude’s config structure changed from a single file to a directory hierarchy. The container kept prompting for login every session.
The solution: named volumes.
docker volume create claude-authInstead of mounting a messy host folder, we create a dedicated Docker volume and tell Claude to use it:
docker run -it --rm \
-v "$PWD":/app \
-v claude-auth:/claude-config \
-e CLAUDE_CONFIG_DIR=/claude-config \
-w /app \
claude-pro --dangerously-skip-permissionsLogin once, persist forever. The volume lives independently of the host filesystem.
The Final Setup
The Dockerfile:
FROM oven/bun:latest
RUN apt-get update && apt-get install -y \
git \
ripgrep \
fd-find \
bat \
jq \
&& rm -rf /var/lib/apt/lists/*
RUN ln -s $(which fdfind) /usr/local/bin/fd && \
ln -s $(which batcat) /usr/local/bin/bat
RUN bun add -g @anthropic-ai/claude-code
ENV IS_SANDBOX=1
ENV FORCE_COLOR=3
ENV TERM=xterm-256color
ENTRYPOINT ["claude"]The Volume:
docker volume create claude-authThe Alias:
alias cy='docker run -it --rm \
--network host \
-v "$PWD":/app \
-v claude-auth:/claude-config \
-e CLAUDE_CONFIG_DIR=/claude-config \
-w /app \
claude-pro --dangerously-skip-permissions'The System Prompt (CLAUDE.md):
Drop a CLAUDE.md in your project root to teach Claude your preferences:
# Project Guidelines
When searching files, prefer `rg` over `grep` and `fd` over `find`.
Use `bat` for viewing files with syntax highlighting.
Use `jq` for JSON manipulation.Why This Works
- Isolation: Claude can
rm -rfwhatever it wants. It’s contained. - Speed: Bun + pre-installed dependencies = instant startup.
- Persistence: Named volume survives container destruction. Login once.
- Modern tooling:
ripgrepandfdare both faster and more token-efficient. - No root paranoia:
IS_SANDBOX=1tells Claude it’s safe to operate.
Caveats
- Network access:
--network hostgives Claude full network access. For stricter isolation, drop this and explicitly map ports. - File ownership: Files created inside the container are owned by root. You might want to
chownafter.
Conclusion
YOLO mode is genuinely useful for rapid iteration. The permission prompts, while safe, break flow. Dockerizing the whole thing gives you the best of both worlds: Claude can experiment freely, and your host system remains pristine.
The alias is now muscle memory. cy in any project directory, and we’re off to the races.
Don’t bind-mount /.