Show HN: Hazmat – I made unrestricted Claude Code safe on macOS (github.com)

1 points by dredozubov ↗ HN
Hazmat gives AI coding agents full autonomy by containing them at the OS level — dedicated macOS user, kernel sandbox (Seatbelt), pf firewall, DNS blocklist, supply chain hardening (npm ignore-scripts), and automatic snapshots.

I built it because manual approval mode is the worst of both worlds: fake security (any prompt injection bypasses it) and a productivity killer (you become the bottleneck). With OS-level containment in place, --dangerously-skip-permissions becomes safe by default.

Setup/rollback ordering is formally verified with TLA+ (26,905 states, 3 real bugs found). Works with Claude Code, OpenCode, Codex, or any terminal agent.

brew install dredozubov/tap/hazmat

Full write-up: https://codeofchange.io/how-i-made-dangerously-skip-permissi...

4 comments

[ 0.34 ms ] story [ 18.8 ms ] thread
[flagged]
I'd be interested to learn what you think when you try hazmat.

Running TLA+ via coding agents became a productivity hack for me to quickly catch invariant breaks, especially in concurrency-sensitive settings. LLM-based coding agents improved to the point of trivializing the process of encoding and running these models.

For this project, I was really concerned with the correctness of the init/rollback logic since it deals with users and groups, and it's easy to make life uncomfortable if you implement it incorrectly. So I decided to formalize migration paths for configurations I set up with 'hazmat init', and revert with 'hazmat rollback', which effectively returns the system to the state it was before running hazmat. I had a workspace concept in 0.1.0, which was removed in 0.2.0, and I wanted to check that I don't leave the system in a weird state. Then I reused and updated this migration model for 0.2.0 -> 0.3.0 and so on.

Also, I found multiple issues with seatbelt policy generation, a flaw that would allow a launch without a firewall, nasty cloud restore bug for s3 snapshots.