惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

宝玉的分享
宝玉的分享
T
Threat Research - Cisco Blogs
H
Hacker News: Front Page
N
News and Events Feed by Topic
Know Your Adversary
Know Your Adversary
Cisco Talos Blog
Cisco Talos Blog
SecWiki News
SecWiki News
C
Cisco Blogs
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Tor Project blog
K
Kaspersky official blog
Forbes - Security
Forbes - Security
Webroot Blog
Webroot Blog
Schneier on Security
Schneier on Security
P
Privacy & Cybersecurity Law Blog
H
Heimdal Security Blog
Y
Y Combinator Blog
The GitHub Blog
The GitHub Blog
S
SegmentFault 最新的问题
V
Vulnerabilities – Threatpost
T
Tenable Blog
T
Tailwind CSS Blog
P
Privacy International News Feed
WordPress大学
WordPress大学
大猫的无限游戏
大猫的无限游戏
小众软件
小众软件
博客园 - Franky
Hacker News: Ask HN
Hacker News: Ask HN
Jina AI
Jina AI
C
Cybersecurity and Infrastructure Security Agency CISA
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
雷峰网
雷峰网
Vercel News
Vercel News
A
About on SuperTechFans
爱范儿
爱范儿
Simon Willison's Weblog
Simon Willison's Weblog
AWS News Blog
AWS News Blog
The Last Watchdog
The Last Watchdog
Engineering at Meta
Engineering at Meta
Spread Privacy
Spread Privacy
Security Archives - TechRepublic
Security Archives - TechRepublic
博客园 - 司徒正美
量子位
博客园 - 三生石上(FineUI控件)
J
Java Code Geeks
Hacker News - Newest:
Hacker News - Newest: "LLM"
Recorded Future
Recorded Future
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Martin Fowler
Martin Fowler
Project Zero
Project Zero

Show HN

GitHub - steveking-gh/firmion: Firmion is DSL and engine for firmware image generation. GitHub - villagesql/villagesql-skills: Agent skills for VillageSQL - gemini-cli-extension; claude-code-plugin GitHub - flightdeckhq/flightdeck: Observability and control plane for AI agents. CSP Radar GitHub - Light-Heart-Labs/DreamServer: Turn your PC, Mac, or Linux box into an AI server. LLM inference, chat UI, voice, agents, workflows, RAG, and image generation. GitHub - Diplomat-ai/diplomat-agent-ts: What can your TypeScript AI agent do to the real world? Scan your code. See which tool calls have zero checks Code Block Selector - Visual Studio Marketplace Prometheus dependency graph — interactive showcase | Riftmap Show HN: I made a vi-like modal keyboard plugin for Figma GitHub - run-llama/liteparse: A fast, helpful, and open-source document parser GitHub - dalemyers/Roar: A macOS CLI tool for notifications GitHub - district-solutions/open-agent-tools-coder: Enables small-to-large self-hosted ai models to use local source code when running tool-calling agentic workloads. We actively data mine 20,900+ (2+ TB) popular github repos using large and small ai models to create reuseable: json, markdown and parquet files for local-first tool-calling models. GitHub - progapandist/stripeek: A local TUI proxy for real-time Stripe API debugging, built for navigating complex payloads fast. GitHub - sir1st/hermes-desktop: All-in-one cross-platform desktop app for Hermes Agent — bundles Python + hermes-agent + hermes-web-ui GitHub - astefanutti/shaderbang: Shebang for Shaders Show HN: Generate Claude Code Workflows using Spec Driven Development approach GitHub - nixys/nxs-universal-chart: The Helm chart you can use to install any of your applications into Kubernetes/OpenShift Show HN: AI agents for UK GDAD PCF roles and their skills The Two Pillars: Mixer Mode and Meta-Software in the Reorganization of Software Work After AI GitHub - JaiCode08/teleport-env What 1,000+ Harness Experiments Taught Me About Self-Improving Agents Show HN: Liiists, a Markdown-first, iOS and CLI list app SwiperTab – Get this Extension for 🦊 Firefox (en-US) GitHub - kouhxp/fftext: Summarize, explain, fact-check, or translate any text, URL, or file. No GPU. No cloud. One command GitHub - sweetpad-dev/sweetpad: Develop Swift/iOS projects using VSCode GitHub - dogmaticdev/IRON: IRON a.k.a. Intermediate Representation Object Notation is a Interpreter/Database that is used to create Programming Languages. GitHub - sjhalani7/vaen: Package your AI coding harness into a portable .agent file, and share it across repos, teams, & the community without ever having to copy-paste instructions, skills, MCP config, or secrets. Show HN: Gandalf the Grader Show HN: Citadeld – replay any CI failure locally from a single file GitHub - tdortman/cuSBF: High-Performance GPU Super Bloom Filter coral-ai/claude-code-token-xray at main · Coral-Bricks-AI/coral-ai GitHub - ulyssestenn/funes: Funes is a Git-based framework for LLM-managed knowledge work: an AI Librarian ingests raw sources, builds an interlinked Markdown knowledge base, and uses it to produce cited reports, analyses, and other outputs. GitHub - ThatXliner/gah: Git Add Hunk, built for agents to use GitHub - harmont-dev/harmont-cli: Command-line client for the Harmont CI platform GitHub - brooksmcmillin/mcp-authflow: OAuth 2.0 Authorization Server framework for MCP servers GitHub - javaid-codes/audit-supply-chain-agents GitHub - amorey/gochan: A small library of common channel architectures for Go, inspired by Rust GitHub - arifozgun/OpenGem: Free, Open-Source AI API Gateway with Gemini, OpenAI & Anthropic Compatibility in 1 file GitHub - Pranesh950/BioPetals: 🌸 Run BIOxAI models at home, BitTorrent-style. Fine-tuning and inference up to 10x faster than offloading GitHub - cnguyen14/bounty-doctor: Diagnose a GitHub bounty issue before you waste hours: detects honeypot scam repos, AI-bot attempt swarms, and stale contests. Show HN: CoreMCP – MCP Server for On-Prem DBs Show HN: KittyHTML – Render HTML/CSS as an inline image in your terminal GitHub - bingud/filemat: Web-based file manager Show HN: TruthLens – Free multi-signal deepfake image detector GitHub - apexlocal-jz/claude-usage-tray: Windows system-tray app showing your Claude Code rate-limit usage at a glance. Zero deps, ~300 lines of PowerShell. Cross-IDE (works regardless of VS Code, Cursor, plain terminal). Release v0.1.2.1 · kouhxp/yapsnap GitHub - noopolis/moltnet: Self-hostable chat network for AI agents. Pre-built bridges for Claude Code, Codex, and the Claws. Rooms, DMs, history. No Slack bots, no Matrix, no glue code. GitHub - tamerh/enju: Coordinating Humans, AI Agents, and Compute as Peers on a Shared Workflow Graph Show HN: Continuity-auth – Respect-weighted rate limits for the open web GitHub - luml-ai/luml: AI lifecycle platform where engineers and agents track experiments, train models, and ship to production. GitHub - mrdanielcasper/CoreTex: A UNIX-inspired, biomimetic, flat-file AI harness and knowledge engine. GitHub - clemg/pierre-github: Pierre's diffs.com and trees.software for Github GitHub - lyriks-io/unspaghettit: Behavior-driven AI development without prompt spaghetti. GitHub - sofumel/claude-handoff-revive: Resume Claude Code work after rate/usage/context limits without replaying the prior transcript. Auto-saves at 90%/95% usage. Plugin-installable, 10 languages. GitHub - dotexorg/saferpc: Typed, end-to-end encrypted RPC over any bidirectional channel. GitHub - BeeZeeAgent/beezee: Agent harness orchestration Legato Next.js Boilerplate for Internal Tools · CoreUI GitHub - clark-labs-inc/clark-hash: Clark Hash, 32x smaller searchable sketches for embeddings GitHub - ZeroPointRepo/youtube-mcp: The fastest YouTube transcript + YouTube search MCP for AI agents. Try for free. Typing Mastery — climb toward 100+ WPM, deliberately GitHub - Andebugulin/Awareen GitHub - fayzan123/claude-workflow-composer: Visual desktop app for composing multi-agent coding workflows. Drag agents, attach skills and MCPs, wire handoffs, export to .claude/ GitHub - harshaneel/humanize: Best static AI text humanizer. Two research-grounded skills that work in any LLM (Claude, ChatGPT, Gemini, Codex): humanize beats perplexity-based detectors, ai-check produces forensic scoring with evidence-quoted flags. Nine levers, 50+ peer-reviewed sources, 2024-2026 detection literature. GitHub - StackOneHQ/stack-nudge GitHub - nodes-app/swift-markdown-engine: A native AppKit Markdown editor for macOS, built on TextKit 2 and bridged to SwiftUI. We hardened an LLM agent. Each defense we added made it more exploitable. GitHub - alkait/WhatsKept: Agent-queryable WhatsApp history from an iOS backup — a single Go binary. GitHub - octelium/cordium: Open-source, general-purpose sandbox platform for devs and AI agents that provides identity-based secure access to infrastructure without credentials. WAR.GOV/UFO Microfilm5 GitHub - scosman/videowright: Build animated explainer videos with your coding agent GitHub - dipankar/dscode: The code editor you can take apart. GitHub - zoharbabin/web-researcher-mcp: MCP server (Go) for AI assistants: web search, content extraction, academic/patent/news research. Multi-provider routing, 4-tier scraping, search lenses. Works with Claude, Cursor, and any MCP client. GitHub - ruvnet/RuView: π RuView turns commodity WiFi signals into real-time spatial intelligence, vital sign monitoring, and presence detection — all without a single pixel of video. GitHub - scanaislop/aislop: Catch the slop AI coding agents leave in your code: narrative comments, swallowed exceptions, as-any casts, dead code, oversized functions. 50+ rules across 7 languages (TypeScript, JavaScript, Python, Go, Rust, Ruby, PHP). Sub-second, deterministic, no LLM at runtime. MIT-licensed. GitHub - kouhxp/cheap-im: CPU-only voice agent approximating Thinking Machines' Interaction Models demo GitHub - unprovable/OrchidMantis: Orchid Mantis — standalone framework for Zero-Knowledge Proofs of eXploit (ZKPoX). GitHub - MarcellM01/TinySearch: Shrink the web for your local LLMs! GitHub - TangibleResearch/Halgorithem: A Algo designed to detect AI Hallucitions GitHub - DO-SAY-GO/freelang: I love freelang GitHub - CarpseDeam/Aura-IDE: An AI coding harness that shaped itself - Planner/Worker agents, repo awareness, surgical edits, validation, recovery, and safe diff approvals. GitHub - chojs23/concord: A feature-rich TUI client for Discord GitHub - tommyjepsen/awesome-ux-skills: UX & AI Product designs skills you can use today in Claude Code GitHub - aerf-spec/aerf: Agent Evidence Receipt Format (AERF) — an open specification for tamper-evident, independently verifiable records of AI agent actions. GitHub - kklimuk/docx-cli: CLI for AI agents (Claude, Codex) to read, edit, and comment on .docx files with full format fidelity. GitHub - Jwrede/tokentoll: Catch LLM cost changes in code review. Infracost for LLM spend. GitHub - samchon/ttsc: A `typescript-go` toolchain for compiler-powered plugins and type-safe execution + 500x faster lint integrated into compiler GitHub - Higangssh/homebutler: 🏠 Manage your homelab from chat. Single binary, zero dependencies. GitHub - olalie/tapmap: See where your computer connects and what stands out on a live world map. GitHub - Diplomat-ai/diplomat-agent: What can your AI agent do to the real world? Scan your code. See which tool calls have zero checks GitHub - Bajusz15/beacon: Open-source agent for secure remote access, monitoring, and deploys across home-lab and self-hosted machines like Raspberry Pi, N100, or any Linux server. Open web based TTY or tunnel Home Assistant and other local services securely without opening ports. BigTech AI News - Chrome 应用商店 GitHub - vinhnx/VTCode: VT Code is an open-source coding agent with LLM-native code understanding and robust shell safety. Supports multiple LLM providers with automatic failover and efficient context management. GitHub - michaelaz774/decision-engine: A decision operating system for startup founders, powered by Claude Code. Synthesizes wisdom from 25+ legendary founders and investors into interactive AI-driven decision frameworks. GitHub - Chrilleweb/dotenv-diff: Validate environment variable usage in your codebase GitHub - Lumen-Labs/brainapi2: BrainAPI is a knowledge graph–powered AI memory layer that transforms unstructured data into structured knowledge, enabling intelligent search, recommendations, and contextual memory for AI agents and applications. GitHub - familiar-software/familiar: Let AI watch you work. Familiar lets your AI update its memory, skills, and knowledge by watching your screen. GitHub - skorotkiewicz/rudo: A small, elegant dock for Wayland GitHub - muxshed/shed: One stream in, or many. Every destination, simultaneously. No cloud middleman, no per-channel fees, no limits. make sidebar/address bar rounded corner toggleable
GitHub - sricola/drydock: Hardware-isolated sandbox for autonomous coding agents on macOS. The agent never sees your real Anthropic key; egress is deny-by-default; only a git diff leaves the sandbox, gated on your approval.
sricola · 2026-06-19 · via Show HN

drydock

status: alpha version platform license

drydock runs autonomous coding agents (Claude Code or OpenAI Codex, per-task selectable) on your own Mac — not someone's cloud — each task sealed in its own hardware-isolated VM. It starts from the assumption that the agent is already compromised: your real API key never enters the sandbox (a host-side gateway hands it short-lived, budget-capped tokens), egress is deny-by-default, and the only thing that crosses back out is a git diff you approve before it reaches origin.

Most agent tooling tries to keep the agent well-behaved — permission prompts, output filters, policy. drydock takes the opposite stance: contain the blast radius so a hostile agent (a poisoned repo, a malicious dependency, a prompt-injection that turns a fetched URL into a shell command) can't reach your key, your filesystem, your push credentials, or the open internet — regardless of what it tries.

Status: working alpha (v0.1.5). The full task lifecycle works end-to-end — submit → isolated VM → gated diff → push — and drydock ships through a Homebrew tap. It is pre-1.0 and single-maintainer: only main is supported, behavior and config can change between minor versions, and it hasn't been hardened by real-world use. There has been no third-party security audit — the security model is written down in detail in the threat model, so read that and decide for yourself before trusting it. Hard requirement: macOS 26+ on Apple silicon — it runs on Apple's container runtime (itself 1.0), so it won't run anywhere else.

Security claims: THREAT_MODEL.md.
Website: https://sricola.github.io/drydock/

Install

# Prerequisites (anything you don't already have)
brew install --cask container
brew install squid

The PR/MR adapters call gh, glab, or tea — install whichever your repos use, and run their respective auth login before submitting a task.

Option A — Homebrew (recommended)

brew tap sricola/drydock
brew trust sricola/drydock     # personal taps require explicit trust
brew install drydock
drydock init

Pulls a pre-built Apple-silicon binary from the latest tagged release (currently v0.1.5); no Go toolchain required.

Option B — Build from source

brew install go
git clone https://github.com/sricola/drydock && cd drydock
make install                             # PREFIX=/usr/local by default
make install PREFIX=$HOME/.local         # …or a user-owned prefix
drydock init

Either way, drydock init walks the remaining prereqs (container service, drydock-egress network, sandbox + anchor images) and reports per-step status. Idempotent — re-run any time.

Run

At least one vendor key is required. Both are host-only — they never go to disk and never enter the VM:

export ANTHROPIC_API_KEY=sk-ant-...   # required for Claude Code tasks
export OPENAI_API_KEY=sk-...          # required for Codex tasks
drydock start              # foreground; ^C to stop. backgrounds via & or your launchd plist.

Quick liveness:

drydock status
# brokerd     up
# in flight   0 running · 0 awaiting egress · 0 awaiting diff · 0 pushing
# tasks       0 total · 0 in last 24h
# audit dir   ~/.drydock/audit

Submit a task

First time? Walk through examples/hello-task.md — a copy-paste first task that exercises every layer, fits inside the default budget, and tells you exactly what each step proves.

In one shell, fire the task. It blocks until the agent runs and you approve the diff (typical: a few seconds to a few minutes, plus your review time):

drydock submit \
  --repo git@github.com:your-org/your-repo \
  --instruction "Add a one-line comment to README.md explaining the project."

A macOS notification fires when the diff is ready. In another shell:

drydock pending               # awaiting tasks (egress + diff gates both shown)
drydock review <id>           # diff in $PAGER, then prompt y/N — the one-shot path
                              # ─ or, step by step ─
less ~/.drydock/audit/<id>.diff
drydock approve <id>          # … or: drydock deny <id>

The submit shell unblocks with the push outcome:

task ab12cd34: pushed agent/ab12cd34 (github)

Operator surface (other shell)

drydock status                # brokerd up?, breakdown (running · egress · diff · pushing)
drydock tasks                 # recent runs: id, age, duration, cost, outcome
drydock logs <id> [-f]        # stream-json audit (use -f to follow)
drydock kill <id>             # cancel the in-flight task (VM down + gate unblocked)
drydock doctor                # smoke-test the sandbox setup (no API spend)

Submit variations

# Use OpenAI Codex instead of Claude Code for this task
drydock submit --repo … --instruction "" --agent codex

# Long prompt from a file
drydock submit --repo … --instruction-file ./task.md

# Pipe from stdin
echo "Refactor the egress compiler" | drydock submit --repo … -

# Pick a specific model (overrides default_model in config)
drydock submit --repo … --instruction "" --model claude-sonnet-4-6

# Skip the approval gate (trusted batch run; see threat model)
drydock submit --repo … --instruction "" --auto-approve

# Request additional egress (host:port[,port], repeatable; gated)
drydock submit --repo … --instruction "" \
  --egress-extra internal.example.com:443 \
  --egress-extra files.example.com:443,8443

# Scripting — emit the raw response shape
drydock submit --repo … --instruction "" --json | jq .branch

If you'd rather hit the HTTP API directly:

SOCK=$TMPDIR/drydock-$(id -u)/drydock.sock
curl --unix-socket "$SOCK" http://_/tasks \
  -H 'content-type: application/json' \
  -d '{ "repo_ref": "git@github.com:o/r", "instruction": "..." }'

Notifications opt-out: DRYDOCK_NO_NOTIFY=1.

Platform selection

repo_ref must be a git URL (https://, git@, or ssh://); local paths are rejected because adapters can't operate on filesystem origins. The PR/MR adapter is chosen by platform:

  • "platform": "github"gh pr create --head <branch> --fill (needs gh authed)
  • "platform": "gitlab"glab mr create --fill --yes (needs glab authed)
  • "platform": "gitea" (alias forgejo) → tea pr create --head <branch> (needs tea authed)
  • "platform": "none" → push only; no PR/MR
  • omitted → hostname autodetect (github.com, gitlab.com, gitea.com/codeberg.org; else push-only — covers Bitbucket and other self-hosted)

Self-hosted GitLab and Gitea need explicit "platform". Bitbucket has no widely-adopted CLI to wrap and falls back to push-only; contributions welcome. The push response includes "platform" so the caller can see which adapter ran. "auto_approve": true skips the gate — see the threat model before using it.

Where config lives

drydock init creates ~/.drydock/ at mode 0700 and seeds two files:

Path What
~/.drydock/config.yaml Operator settings (network name, gateway IP, per-task budget + timeout, max concurrent tasks, paths, broker listener, behavior flags)
~/.drydock/egress.yaml Squid + gateway allowlist (hosts and ports the sandbox may reach)

Both files are seeded from defaults the first time; drydock init never overwrites them. Env vars still win over file values (e.g. BROKER_ADDR=… in the shell overrides broker.addr in the YAML), so existing scripts keep working. The vendor keys (ANTHROPIC_API_KEY / OPENAI_API_KEY) are intentionally not in either file — by design, they never go to disk.

Egress policy

~/.drydock/egress.yaml is the source of truth (seed template lives at $HOMEBREW_PREFIX/share/drydock/config/egress.yaml). The default:

default:
  domains:
    - { host: api.anthropic.com,      ports: [443] }   # routed via gateway
    - { host: api.openai.com,         ports: [443] }   # routed via gateway
    # JavaScript
    - { host: registry.npmjs.org,     ports: [443] }   # routed via squid
    # Python
    - { host: pypi.org,               ports: [443] }   # routed via squid
    - { host: files.pythonhosted.org, ports: [443] }   # routed via squid
    # Go module ecosystem
    - { host: proxy.golang.org,       ports: [443] }   # routed via squid
    - { host: sum.golang.org,         ports: [443] }   # routed via squid
per_task_widening:
  requires_approval: true

The sandbox image ships Node 22, Python 3.11, and Go 1.26 so JS, Python, and Go tasks work without operator customization. Other toolchains can be added by extending image/Dockerfile and rebuilding via make image (or drydock init, which detects stale images and rebuilds).

api.anthropic.com and api.openai.com are intentionally excluded from the squid allowlist — they route through the credential gateway, not the proxy. Per-task widening via egress_extra goes through the same human-driven gate as the diff push (when per_task_widening.requires_approval: true, which is the default): brokerd blocks the request, writes the requested hosts to AUDIT_ROOT/<id>.widen.json, and shows the task in drydock pending under gate egress. Approve with drydock approve <id> once you've reviewed the request. Restart brokerd after editing the default allowlist.

Configuration

The canonical location is ~/.drydock/config.yaml — seeded by drydock init with the defaults below as a commented template. Edit and re-run drydock start. Env vars still override file values for ops/scripting:

Field (config.yaml) Env override Default Meaning
ANTHROPIC_API_KEY (at least one required) Real Anthropic key; host-only, never goes to disk
OPENAI_API_KEY (at least one required) Real OpenAI key; host-only, never goes to disk
default_agent DRYDOCK_DEFAULT_AGENT claude Agent to use when --agent is not passed; allowed values: claude | codex
network DRYDOCK_NETWORK drydock-egress vmnet network name
gateway_ip DRYDOCK_GW_IP 192.168.66.1 gateway + squid bind here
sandbox_image SANDBOX_IMAGE drydock-sandbox:latest per-task agent VM image
anchor_image DRYDOCK_ANCHOR_IMAGE drydock-anchor:latest minimal sleep-forever image holding the vmnet gateway IP
task_budget_usd DRYDOCK_TASK_BUDGET_USD 2.0 per-task USD ceiling
max_concurrent_tasks DRYDOCK_MAX_CONCURRENT_TASKS 2 excess POSTs to /tasks get HTTP 503
task_timeout 30m wall-clock per task
default_model DRYDOCK_DEFAULT_MODEL (empty) agent --model fallback for tasks that don't pass --model (passed to claude --model or codex exec --model); empty = the agent picks
stage_root / audit_root / squid_run_dir STAGE_ROOT / AUDIT_ROOT / SQUID_RUN_DIR ~/.drydock/{stage,audit,squid} per-task scratch (audit dir is 0700, audit log + diff are 0600). Pre-v0.1.4 used /tmp/broker/; drydock tasks and friends still surface that history while it exists.
broker.socket BROKER_SOCKET $TMPDIR/drydock-$UID/drydock.sock Unix socket (per-user parent dir at 0700, socket at 0600)
broker.addr BROKER_ADDR (empty) set host:port to expose over TCP (warns at boot — no auth; see SECURITY.md § TCP exposure)
notifications DRYDOCK_NO_NOTIFY=1 (off) true macOS notifications on pending approval
log_json DRYDOCK_LOG_JSON=1 false force JSON logs even on a TTY (default: terse text on TTY, JSON otherwise)
strict_container_version DRYDOCK_STRICT_CONTAINER_VERSION=1 false fail closed when container major drifts from the tested range
EGRESS_CONFIG ~/.drydock/egress.yaml path override for the egress YAML

Gateway port 8088 and squid port 3128 are hard-coded in cmd/brokerd/main.go and image/entrypoint.sh; change both together.

Troubleshooting

Symptom First place to look
192.168.66.1 never became bindable container ls -a (anchor running?), container network inspect drydock-egress (gateway IP?)
Image build fails on npm install Transient registry timeout; rerun container build
Squid CONNECT 403 to an expected host cat ~/.drydock/squid/squid-allow.txt; add via egress.yaml or egress_extra
Stale anchor after a crash container rm -f drydock-anchor; next brokerd start does this for you
Gateway 401 Key wrong or placeholder (sk-ant-fake is expected to 401)
VM reaches a host it shouldn't Confirm init-firewall.sh ran inside the VM — overriding --entrypoint skips it

Per-task stream-json from the agent lands in $AUDIT_ROOT/<id>.jsonl; the diff lands in $AUDIT_ROOT/<id>.diff.

Layout

cmd/brokerd/      # broker daemon
cmd/drydock/      # operator CLI (init|start|submit|status|tasks|pending|review|approve|deny|kill|logs)
internal/
  broker/         # /tasks + admin handlers, approval + egress gates, concurrency, cancellation
  creds/          # Grant/Provider interfaces
  egress/         # YAML loader + allowlist compilation + host/port validation
  gateway/        # credential gateway (mint/serve/account/revoke), constant-time token check
  netfw/          # squid conf + allowlist compiler
  remote/         # PR/MR adapters: github (gh), gitlab (glab), gitea (tea), push-only
  runner/         # `container run` argv builder
  sockpath/       # shared per-uid socket path discovery for brokerd + CLI
  stage/          # work tree, host-side commit + push, curated adapter env
image/            # drydock-sandbox (hosts claude-code + codex): Dockerfile + entrypoint.sh + init-firewall.sh
image/anchor/     # drydock-anchor: FROM scratch + static Go sleep binary
tests/integration # //go:build integration — boots brokerd against real container CLI
config/           # egress.yaml
site/             # narrative explainer + launch post
docs/superpowers/ # historical design specs
LICENSE           # MIT
SECURITY.md       # how to report a security bug + documented residuals
THREAT_MODEL.md   # what drydock defends — and doesn't
Makefile          # build, install, test, test-integration, image, image-anchor, network, init, clean

Build, test, CI

make build              # bin/brokerd, bin/drydock
make test               # go test -race ./...
make image              # both images
make image-sandbox      # per-task agent image
make image-anchor       # minimal anchor image (FROM scratch + static binary)
make test-integration   # boot brokerd as subprocess; macOS only, needs container runtime

GitHub Actions runs go build, go test -race, and go vet on every push/PR. Integration (make test-integration) requires container and is macOS-only — runs locally, not in CI. No real Anthropic or OpenAI spend.

Known gaps

  • Pricing in internal/gateway/pricing.go covers Anthropic 4.x families (Opus, Sonnet, Haiku) and OpenAI GPT-5/o4 families, each with a high-end default fallback; the budget gate is a safety cap, not a billing source of truth. Bump when either vendor publishes new rates.
  • Audit dir (~/.drydock/audit/) grows unbounded — old <id>.{jsonl,diff} files aren't pruned. No drydock tasks --prune yet.
  • Up to DRYDOCK_MAX_CONCURRENT_TASKS tasks in flight per brokerd (default 2); raise on bigger hardware.
  • No Slack/web approval adapters yet — only the local CLI + macOS notifications.
  • Bitbucket PR/MR opening: push-only fallback (no widely-adopted CLI to wrap). Contribution slot.
  • Apple container is v1.0; flag drift is the most likely breakage source. DRYDOCK_STRICT_CONTAINER_VERSION=1 fails closed on drift.