Yu – Sandboxes your Claude Code/Codex with zero credential exposure

Yu sandboxes AI coding agents so they can use credentials without holding them. No permission popups. Auto-snapshot for fearless rollback.

How It Works

Filesystem — macOS sandbox-exec hides everything except the project directory. No containers.

Env vars — Default-deny whitelist. Secrets (KEY, TOKEN, SECRET, PASSWORD) get dummy values.

API proxy — For custom BASE_URL setups (e.g. LiteLLM), a localhost reverse proxy swaps dummy keys for real ones. No MITM, no certificates.

Command proxy — git, ssh, gh, aws intercepted by shims. Real commands run outside sandbox with credentials from .yu/env.

Permission bypass — Agents launch with --dangerously-skip-permissions (Claude) / --dangerously-bypass-approvals-and-sandbox (Codex). The sandbox is the security boundary.