@jgamaraalv/ts-dev-kit 3.0.1 → 3.1.0

package/.claude-plugin/marketplace.json

@@ -5,14 +5,14 @@
     "url": "https://github.com/jgamaraalv"
   },
   "metadata": {
-    "description": "15 agents and 21 skills for TypeScript fullstack development with Claude Code"
+    "description": "15 agents and 22 skills for TypeScript fullstack development with Claude Code"
   },
   "plugins": [
     {
       "name": "ts-dev-kit",
       "source": "./",
-      "description": "15 specialized agents and 21 skills for TypeScript fullstack development",
-      "version": "3.0.1",
+      "description": "15 specialized agents and 22 skills for TypeScript fullstack development",
+      "version": "3.1.0",
       "author": {
         "name": "jgamaraalv"
       },

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "ts-dev-kit",
-  "version": "3.0.1",
-  "description": "15 specialized agents and 21 skills for TypeScript fullstack development with Fastify, Next.js, PostgreSQL, Redis, and more.",
+  "version": "3.1.0",
+  "description": "15 specialized agents and 22 skills for TypeScript fullstack development with Fastify, Next.js, PostgreSQL, Redis, and more.",
   "author": {
     "name": "jgamaraalv",
     "url": "https://github.com/jgamaraalv"

package/CHANGELOG.md

@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.1.0] - 2026-02-27
+
+### Added
+
+- `/yolo` skill: devcontainer setup and launch workflow for running Claude Code with `--dangerously-skip-permissions` in a secure, sandboxed environment — detects existing devcontainer, checks Docker status, scaffolds the Claude Code reference `.devcontainer/` (Dockerfile, firewall, config), starts Docker if needed, and opens VS Code to launch the container
+- Dynamic context injection to `/yolo`: project root, devcontainer presence, Docker daemon status, Docker and VS Code installation are pre-injected before Claude receives the prompt
+
 ## [3.0.1] - 2026-02-27
 
 ### Fixed

package/README.md

@@ -1,6 +1,6 @@
 # ts-dev-kit
 
-> 15 specialized agents + 21 curated skills for TypeScript fullstack development
+> 15 specialized agents + 22 curated skills for TypeScript fullstack development
 
 [![npm version](https://img.shields.io/npm/v/@jgamaraalv/ts-dev-kit)](https://www.npmjs.com/package/@jgamaraalv/ts-dev-kit)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
@@ -30,7 +30,7 @@
 | typescript-pro          | Generics, type inference, conditional types             |
 | ux-optimizer            | User flows, form UX, friction reduction                 |
 
-### Skills (21)
+### Skills (22)
 
 | Skill                  | Slug                      | Domain                                            |
 | ---------------------- | ------------------------- | ------------------------------------------------- |
@@ -55,6 +55,7 @@
 | TanStack Query         | `/tanstack-query`         | React Query v5, caching, SSR/hydration            |
 | TypeScript Conventions | `/typescript-conventions` | Strict config, patterns, best practices           |
 | UI/UX Guidelines       | `/ui-ux-guidelines`       | Accessibility, layout, forms                      |
+| Yolo                   | `/yolo`                   | Devcontainer setup for autonomous Claude Code     |
 
 ---
 
@@ -206,6 +207,7 @@ Several skills use the `!`command`` syntax to pre-inject live data before Claude
 | `/conventional-commits` | Staged diff summary, full staged diff, last 8 commit messages |
 | `/debug` | Last 10 git commits, working tree status |
 | `/codebase-adapter` | Working directory, lockfile, installed agents, MCP servers, `package.json` |
+| `/yolo` | Project root, devcontainer presence, Docker status, VS Code installation |
 
 ---
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@jgamaraalv/ts-dev-kit",
-  "version": "3.0.1",
-  "description": "Claude Code plugin: 15 agents + 21 skills for TypeScript fullstack development",
+  "version": "3.1.0",
+  "description": "Claude Code plugin: 15 agents + 22 skills for TypeScript fullstack development",
   "author": "jgamaraalv",
   "license": "MIT",
   "repository": {

package/skills/debug/SKILL.md

@@ -22,6 +22,10 @@ allowed-tools: Bash(git *)
 - "Debug the notification queue — jobs are stuck"
 </trigger_examples>
 
+<task>
+$ARGUMENTS
+</task>
+
 <workflow>
 Follow each phase in order. Each one feeds the next.
 
@@ -233,7 +237,3 @@ When complete, produce a debug report using the template in [template.md](templa
 
 Do not add explanations, caveats, or follow-up suggestions unless the user asks.
 </output>
-
-<task>
-$ARGUMENTS
-</task>

package/skills/yolo/SKILL.md

@@ -0,0 +1,319 @@
+---
+name: yolo
+description: "Sets up and launches a Claude Code devcontainer with --dangerously-skip-permissions for fully autonomous, unattended operation inside a sandboxed environment. Use when: (1) user wants to run Claude Code without permission prompts, (2) setting up a secure development container for autonomous coding, (3) user says 'yolo', 'yolo mode', 'run without permissions', 'autonomous mode', 'skip permissions safely', or 'devcontainer setup'."
+argument-hint: "[optional: path to project root — defaults to current directory]"
+allowed-tools: Bash(docker *), Bash(ls *), Bash(cat *), Bash(cp *), Bash(mkdir *), Bash(which *), Bash(open *), Bash(code *), Bash(command *)
+---
+
+<live_context>
+**Project root:**
+!`pwd`
+
+**Devcontainer present:**
+!`ls -la .devcontainer/devcontainer.json 2>/dev/null && echo "YES" || echo "NO"`
+
+**Docker daemon status:**
+!`docker info --format '{{.ServerVersion}}' 2>/dev/null && echo "RUNNING" || echo "NOT RUNNING"`
+
+**Docker Desktop installed:**
+!`command -v docker 2>/dev/null || echo "NOT FOUND"`
+
+**VS Code installed:**
+!`command -v code 2>/dev/null || echo "NOT FOUND"`
+</live_context>
+
+<trigger_examples>
+- "yolo"
+- "Enter yolo mode"
+- "Set up a devcontainer so Claude can run autonomously"
+- "I want to run Claude Code without permission prompts"
+- "Skip permissions safely with a devcontainer"
+- "Set up autonomous mode"
+</trigger_examples>
+
+<system>
+You are a devcontainer setup specialist. Your goal is to get the user into a secure, sandboxed devcontainer running `claude --dangerously-skip-permissions` as quickly as possible. You follow a strict decision tree and never skip safety checks.
+
+**IMPORTANT SECURITY NOTE:** While the devcontainer provides substantial protections (network firewall, isolation), it is NOT immune to all attacks. Only use devcontainers with **trusted repositories**. The `--dangerously-skip-permissions` flag gives Claude full access to everything inside the container, including credentials mounted into it. Always inform the user of this trade-off.
+</system>
+
+<task>
+$ARGUMENTS
+</task>
+
+<workflow>
+Follow this decision tree strictly. Each phase gates the next.
+
+```
+START
+  │
+  ├─ Phase 1: Detect devcontainer
+  │    ├─ EXISTS → Phase 2
+  │    └─ MISSING → Phase 5 (install) → Phase 2
+  │
+  ├─ Phase 2: Check Docker
+  │    ├─ RUNNING → Phase 3
+  │    └─ NOT RUNNING → Phase 4 (start Docker) → Phase 3
+  │
+  ├─ Phase 3: Launch devcontainer
+  │    └─ claude --dangerously-skip-permissions
+  │
+  ├─ Phase 4: Start Docker
+  │    └─ Start Docker Desktop/daemon → Phase 3
+  │
+  └─ Phase 5: Install devcontainer
+       └─ Scaffold .devcontainer/ → Phase 2
+```
+
+<phase_1_detect>
+
+## Phase 1 — Detect devcontainer
+
+Check whether `.devcontainer/devcontainer.json` exists in the project root.
+
+1. Read the `<live_context>` above for the pre-injected detection result.
+2. If **YES** — announce to the user and proceed to Phase 2:
+
+> **DEVCONTAINER DETECTED** — `.devcontainer/` found. Checking Docker status...
+
+3. If **NO** — announce and proceed to Phase 5:
+
+> **NO DEVCONTAINER FOUND** — I'll set one up using the Claude Code reference implementation.
+
+</phase_1_detect>
+
+<phase_2_check_docker>
+
+## Phase 2 — Check Docker
+
+Verify the Docker daemon is running and accessible.
+
+1. Read the `<live_context>` above for the pre-injected Docker status.
+2. If `docker` command is **NOT FOUND**:
+
+> **DOCKER NOT INSTALLED** — Docker Desktop is required for devcontainers. Please install it from https://www.docker.com/products/docker-desktop/ and re-run `/yolo`.
+
+Stop here. Do not proceed.
+
+3. If Docker is **RUNNING** — proceed to Phase 3:
+
+> **DOCKER RUNNING** (version X.X.X) — Ready to launch devcontainer.
+
+4. If Docker is **NOT RUNNING** — proceed to Phase 4.
+
+</phase_2_check_docker>
+
+<phase_3_launch>
+
+## Phase 3 — Launch devcontainer
+
+Open the project in VS Code with the devcontainer.
+
+**Prerequisites check:**
+
+1. Verify VS Code is installed (`command -v code`).
+2. If VS Code is not installed, inform the user:
+
+> **VS Code is required** for devcontainer support. Install it from https://code.visualstudio.com/ and the [Dev Containers extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers).
+
+**Launch sequence:**
+
+1. Open the project in VS Code:
+
+```bash
+code .
+```
+
+2. Instruct the user:
+
+> **LAUNCHING DEVCONTAINER**
+>
+> VS Code is opening your project. Follow these steps:
+>
+> 1. VS Code should prompt **"Reopen in Container"** — click it.
+>    - If no prompt appears: open Command Palette (`Cmd+Shift+P` / `Ctrl+Shift+P`) → type **"Dev Containers: Reopen in Container"** → select it.
+> 2. Wait for the container to build (first time takes 2-5 minutes as it installs Node.js 20, Claude Code, ZSH, and configures the firewall).
+> 3. Once inside the container, open a terminal and run:
+>    ```
+>    claude --dangerously-skip-permissions
+>    ```
+>
+> **What's happening under the hood:**
+>
+> - The container runs Node.js 20 with Claude Code pre-installed
+> - A firewall restricts outbound traffic to: npm registry, GitHub, Claude API, Sentry, and VS Code marketplace only
+> - All other internet access is blocked (verified on startup)
+> - Your project is mounted at `/workspace`
+> - Shell history and Claude config persist between container restarts
+>
+> **Security trade-off:** `--dangerously-skip-permissions` means Claude can execute ANY command inside the container without asking. The firewall and container isolation are your safety net. Only use this with trusted code.
+
+</phase_3_launch>
+
+<phase_4_start_docker>
+
+## Phase 4 — Start Docker
+
+The Docker daemon is installed but not running.
+
+**macOS:**
+
+```bash
+open -a Docker
+```
+
+**Linux:**
+
+```bash
+sudo systemctl start docker
+```
+
+After issuing the start command:
+
+1. Wait for Docker to become ready (poll up to 30 seconds):
+
+```bash
+for i in $(seq 1 15); do
+  docker info --format '{{.ServerVersion}}' 2>/dev/null && break
+  sleep 2
+done
+```
+
+2. Re-verify Docker is running:
+
+```bash
+docker info --format '{{.ServerVersion}}' 2>/dev/null
+```
+
+3. If Docker started successfully — proceed to Phase 3:
+
+> **DOCKER STARTED** — Docker daemon is now running. Launching devcontainer...
+
+4. If Docker failed to start after 30 seconds:
+
+> **DOCKER FAILED TO START** — Please start Docker Desktop manually and re-run `/yolo`.
+
+Stop here.
+
+</phase_4_start_docker>
+
+<phase_5_install_devcontainer>
+
+## Phase 5 — Install devcontainer
+
+Scaffold the `.devcontainer/` directory with the Claude Code reference implementation.
+
+### Step 1 — Create directory
+
+```bash
+mkdir -p .devcontainer
+```
+
+### Step 2 — Create `devcontainer.json`
+
+Write the file using the reference config. See [references/devcontainer-json.md](references/devcontainer-json.md) for the full file content.
+
+Key settings:
+
+- Name: `"Claude Code Sandbox"`
+- Dockerfile build with Node.js 20
+- `NET_ADMIN` + `NET_RAW` capabilities (required for firewall)
+- Claude Code VS Code extension pre-installed
+- Volume mounts for bash history and Claude config persistence
+- Firewall initialization via `postStartCommand`
+- Workspace mounted at `/workspace`
+
+### Step 3 — Create `Dockerfile`
+
+Write the file using the reference Dockerfile. See [references/dockerfile.md](references/dockerfile.md) for the full file content.
+
+Key features:
+
+- Base: `node:20`
+- Installs: git, ZSH, fzf, gh CLI, iptables/ipset, nano, vim
+- Installs `@anthropic-ai/claude-code` globally
+- Sets up non-root `node` user
+- Configures ZSH with Powerlevel10k theme
+- Copies and configures firewall script with sudo access
+
+### Step 4 — Create `init-firewall.sh`
+
+Write the file using the reference firewall script. See [references/init-firewall.sh.md](references/init-firewall.sh.md) for the full file content.
+
+Key security features:
+
+- Default-deny policy (DROP all INPUT, OUTPUT, FORWARD)
+- Whitelisted outbound only: npm registry, GitHub (dynamic IP fetch), Claude API, Sentry, StatsIG, VS Code marketplace
+- DNS and SSH allowed
+- Localhost and host network allowed
+- Startup verification: confirms `example.com` is blocked and `api.github.com` is reachable
+- Docker DNS rules preserved
+
+### Step 5 — Add `.devcontainer` to `.gitignore` (optional)
+
+Check if `.gitignore` exists and whether `.devcontainer/` is already listed. If not, ask the user:
+
+> **Should I add `.devcontainer/` to `.gitignore`?**
+>
+> - **Yes** — keep devcontainer config local to your machine
+> - **No** — commit it so the whole team can use it (recommended for teams)
+
+### Step 6 — Verify installation
+
+```bash
+ls -la .devcontainer/
+cat .devcontainer/devcontainer.json | head -5
+```
+
+Announce completion:
+
+> **DEVCONTAINER INSTALLED** — `.devcontainer/` is ready with Dockerfile, firewall script, and configuration. Proceeding to check Docker...
+
+Return to Phase 2.
+
+</phase_5_install_devcontainer>
+
+</workflow>
+
+<customization_notes>
+
+## Customizing the devcontainer
+
+After installation, the user may want to customize:
+
+**Adding allowed domains to the firewall:**
+Edit `.devcontainer/init-firewall.sh` and add domains to the `for domain in` loop:
+
+```bash
+for domain in \
+    "registry.npmjs.org" \
+    "api.anthropic.com" \
+    "your-custom-domain.com" \   # <-- add here
+    ...
+```
+
+**Adding VS Code extensions:**
+Edit `.devcontainer/devcontainer.json` → `customizations.vscode.extensions[]`:
+
+```json
+"extensions": [
+    "anthropic.claude-code",
+    "your-extension.id"
+]
+```
+
+**Changing Node.js version:**
+Edit `.devcontainer/Dockerfile` — change the `FROM` line:
+
+```dockerfile
+FROM node:22
+```
+
+**Adding project-specific dependencies:**
+Add `RUN` commands to the Dockerfile before the `USER node` line:
+
+```dockerfile
+RUN apt-get update && apt-get install -y your-package
+```
+
+</customization_notes>

package/skills/yolo/references/devcontainer-json.md

@@ -0,0 +1,74 @@
+# devcontainer.json — Reference
+
+Write this file to `.devcontainer/devcontainer.json`:
+
+```json
+{
+  "name": "Claude Code Sandbox",
+  "build": {
+    "dockerfile": "Dockerfile",
+    "args": {
+      "TZ": "${localEnv:TZ:America/Los_Angeles}",
+      "CLAUDE_CODE_VERSION": "latest",
+      "GIT_DELTA_VERSION": "0.18.2",
+      "ZSH_IN_DOCKER_VERSION": "1.2.0"
+    }
+  },
+  "runArgs": [
+    "--cap-add=NET_ADMIN",
+    "--cap-add=NET_RAW"
+  ],
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "anthropic.claude-code",
+        "dbaeumer.vscode-eslint",
+        "esbenp.prettier-vscode",
+        "eamodio.gitlens"
+      ],
+      "settings": {
+        "editor.formatOnSave": true,
+        "editor.defaultFormatter": "esbenp.prettier-vscode",
+        "editor.codeActionsOnSave": {
+          "source.fixAll.eslint": "explicit"
+        },
+        "terminal.integrated.defaultProfile.linux": "zsh",
+        "terminal.integrated.profiles.linux": {
+          "bash": {
+            "path": "bash",
+            "icon": "terminal-bash"
+          },
+          "zsh": {
+            "path": "zsh"
+          }
+        }
+      }
+    }
+  },
+  "remoteUser": "node",
+  "mounts": [
+    "source=claude-code-bashhistory-${devcontainerId},target=/commandhistory,type=volume",
+    "source=claude-code-config-${devcontainerId},target=/home/node/.claude,type=volume"
+  ],
+  "containerEnv": {
+    "NODE_OPTIONS": "--max-old-space-size=4096",
+    "CLAUDE_CONFIG_DIR": "/home/node/.claude",
+    "POWERLEVEL9K_DISABLE_GITSTATUS": "true"
+  },
+  "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=delegated",
+  "workspaceFolder": "/workspace",
+  "postStartCommand": "sudo /usr/local/bin/init-firewall.sh",
+  "waitFor": "postStartCommand"
+}
+```
+
+## Key settings explained
+
+| Setting | Purpose |
+|---------|---------|
+| `runArgs: --cap-add=NET_ADMIN,NET_RAW` | Required for the firewall script to configure iptables |
+| `remoteUser: node` | Runs as non-root for security |
+| `mounts` (bashhistory, config) | Persists shell history and Claude config between container restarts |
+| `postStartCommand` | Initializes the firewall on every container start |
+| `waitFor: postStartCommand` | Ensures firewall is active before VS Code connects |
+| `workspaceMount` | Binds the local project into `/workspace` with delegated consistency for performance |

package/skills/yolo/references/dockerfile.md

@@ -0,0 +1,108 @@
+# Dockerfile — Reference
+
+Write this file to `.devcontainer/Dockerfile`:
+
+```dockerfile
+FROM node:20
+
+ARG TZ
+ENV TZ="$TZ"
+
+ARG CLAUDE_CODE_VERSION=latest
+
+# Install basic development tools and iptables/ipset
+RUN apt-get update && apt-get install -y --no-install-recommends \
+  less \
+  git \
+  procps \
+  sudo \
+  fzf \
+  zsh \
+  man-db \
+  unzip \
+  gnupg2 \
+  gh \
+  iptables \
+  ipset \
+  iproute2 \
+  dnsutils \
+  aggregate \
+  jq \
+  nano \
+  vim \
+  && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Ensure default node user has access to /usr/local/share
+RUN mkdir -p /usr/local/share/npm-global && \
+  chown -R node:node /usr/local/share
+
+ARG USERNAME=node
+
+# Persist bash history.
+RUN SNIPPET="export PROMPT_COMMAND='history -a' && export HISTFILE=/commandhistory/.bash_history" \
+  && mkdir /commandhistory \
+  && touch /commandhistory/.bash_history \
+  && chown -R $USERNAME /commandhistory
+
+# Set `DEVCONTAINER` environment variable to help with orientation
+ENV DEVCONTAINER=true
+
+# Create workspace and config directories and set permissions
+RUN mkdir -p /workspace /home/node/.claude && \
+  chown -R node:node /workspace /home/node/.claude
+
+WORKDIR /workspace
+
+ARG GIT_DELTA_VERSION=0.18.2
+RUN ARCH=$(dpkg --print-architecture) && \
+  wget "https://github.com/dandavison/delta/releases/download/${GIT_DELTA_VERSION}/git-delta_${GIT_DELTA_VERSION}_${ARCH}.deb" && \
+  sudo dpkg -i "git-delta_${GIT_DELTA_VERSION}_${ARCH}.deb" && \
+  rm "git-delta_${GIT_DELTA_VERSION}_${ARCH}.deb"
+
+# Set up non-root user
+USER node
+
+# Install global packages
+ENV NPM_CONFIG_PREFIX=/usr/local/share/npm-global
+ENV PATH=$PATH:/usr/local/share/npm-global/bin
+
+# Set the default shell to zsh rather than sh
+ENV SHELL=/bin/zsh
+
+# Set the default editor and visual
+ENV EDITOR=nano
+ENV VISUAL=nano
+
+# Default powerline10k theme
+ARG ZSH_IN_DOCKER_VERSION=1.2.0
+RUN sh -c "$(wget -O- https://github.com/deluan/zsh-in-docker/releases/download/v${ZSH_IN_DOCKER_VERSION}/zsh-in-docker.sh)" -- \
+  -p git \
+  -p fzf \
+  -a "source /usr/share/doc/fzf/examples/key-bindings.zsh" \
+  -a "source /usr/share/doc/fzf/examples/completion.zsh" \
+  -a "export PROMPT_COMMAND='history -a' && export HISTFILE=/commandhistory/.bash_history" \
+  -x
+
+# Install Claude
+RUN npm install -g @anthropic-ai/claude-code@${CLAUDE_CODE_VERSION}
+
+# Copy and set up firewall script
+COPY init-firewall.sh /usr/local/bin/
+USER root
+RUN chmod +x /usr/local/bin/init-firewall.sh && \
+  echo "node ALL=(root) NOPASSWD: /usr/local/bin/init-firewall.sh" > /etc/sudoers.d/node-firewall && \
+  chmod 0440 /etc/sudoers.d/node-firewall
+USER node
+```
+
+## What this Dockerfile provides
+
+| Layer | Details |
+|-------|---------|
+| **Base image** | Node.js 20 (LTS) |
+| **Dev tools** | git, ZSH, fzf, gh CLI, jq, nano, vim, delta (git diff) |
+| **Network tools** | iptables, ipset, iproute2, dnsutils, aggregate (for firewall) |
+| **User** | Non-root `node` user with sudo for firewall script only |
+| **Shell** | ZSH with Powerlevel10k theme, fzf key bindings |
+| **Claude Code** | Installed globally via npm (version configurable via build arg) |
+| **Firewall** | `init-firewall.sh` copied and configured with passwordless sudo |

package/skills/yolo/references/init-firewall.sh.md

@@ -0,0 +1,167 @@
+# init-firewall.sh — Reference
+
+Write this file to `.devcontainer/init-firewall.sh`:
+
+```bash
+#!/bin/bash
+set -euo pipefail  # Exit on error, undefined vars, and pipeline failures
+IFS=$'\n\t'       # Stricter word splitting
+
+# 1. Extract Docker DNS info BEFORE any flushing
+DOCKER_DNS_RULES=$(iptables-save -t nat | grep "127\.0\.0\.11" || true)
+
+# Flush existing rules and delete existing ipsets
+iptables -F
+iptables -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+ipset destroy allowed-domains 2>/dev/null || true
+
+# 2. Selectively restore ONLY internal Docker DNS resolution
+if [ -n "$DOCKER_DNS_RULES" ]; then
+    echo "Restoring Docker DNS rules..."
+    iptables -t nat -N DOCKER_OUTPUT 2>/dev/null || true
+    iptables -t nat -N DOCKER_POSTROUTING 2>/dev/null || true
+    echo "$DOCKER_DNS_RULES" | xargs -L 1 iptables -t nat
+else
+    echo "No Docker DNS rules to restore"
+fi
+
+# First allow DNS and localhost before any restrictions
+# Allow outbound DNS
+iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+# Allow inbound DNS responses
+iptables -A INPUT -p udp --sport 53 -j ACCEPT
+# Allow outbound SSH
+iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
+# Allow inbound SSH responses
+iptables -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
+# Allow localhost
+iptables -A INPUT -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+
+# Create ipset with CIDR support
+ipset create allowed-domains hash:net
+
+# Fetch GitHub meta information and aggregate + add their IP ranges
+echo "Fetching GitHub IP ranges..."
+gh_ranges=$(curl -s https://api.github.com/meta)
+if [ -z "$gh_ranges" ]; then
+    echo "ERROR: Failed to fetch GitHub IP ranges"
+    exit 1
+fi
+
+if ! echo "$gh_ranges" | jq -e '.web and .api and .git' >/dev/null; then
+    echo "ERROR: GitHub API response missing required fields"
+    exit 1
+fi
+
+echo "Processing GitHub IPs..."
+while read -r cidr; do
+    if [[ ! "$cidr" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$ ]]; then
+        echo "ERROR: Invalid CIDR range from GitHub meta: $cidr"
+        exit 1
+    fi
+    echo "Adding GitHub range $cidr"
+    ipset add allowed-domains "$cidr"
+done < <(echo "$gh_ranges" | jq -r '(.web + .api + .git)[]' | aggregate -q)
+
+# Resolve and add other allowed domains
+for domain in \
+    "registry.npmjs.org" \
+    "api.anthropic.com" \
+    "sentry.io" \
+    "statsig.anthropic.com" \
+    "statsig.com" \
+    "marketplace.visualstudio.com" \
+    "vscode.blob.core.windows.net" \
+    "update.code.visualstudio.com"; do
+    echo "Resolving $domain..."
+    ips=$(dig +noall +answer A "$domain" | awk '$4 == "A" {print $5}')
+    if [ -z "$ips" ]; then
+        echo "ERROR: Failed to resolve $domain"
+        exit 1
+    fi
+
+    while read -r ip; do
+        if [[ ! "$ip" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
+            echo "ERROR: Invalid IP from DNS for $domain: $ip"
+            exit 1
+        fi
+        echo "Adding $ip for $domain"
+        ipset add allowed-domains "$ip"
+    done < <(echo "$ips")
+done
+
+# Get host IP from default route
+HOST_IP=$(ip route | grep default | cut -d" " -f3)
+if [ -z "$HOST_IP" ]; then
+    echo "ERROR: Failed to detect host IP"
+    exit 1
+fi
+
+HOST_NETWORK=$(echo "$HOST_IP" | sed "s/\.[0-9]*$/.0\/24/")
+echo "Host network detected as: $HOST_NETWORK"
+
+# Set up remaining iptables rules
+iptables -A INPUT -s "$HOST_NETWORK" -j ACCEPT
+iptables -A OUTPUT -d "$HOST_NETWORK" -j ACCEPT
+
+# Set default policies to DROP first
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT DROP
+
+# First allow established connections for already approved traffic
+iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# Then allow only specific outbound traffic to allowed domains
+iptables -A OUTPUT -m set --match-set allowed-domains dst -j ACCEPT
+
+# Explicitly REJECT all other outbound traffic for immediate feedback
+iptables -A OUTPUT -j REJECT --reject-with icmp-admin-prohibited
+
+echo "Firewall configuration complete"
+echo "Verifying firewall rules..."
+if curl --connect-timeout 5 https://example.com >/dev/null 2>&1; then
+    echo "ERROR: Firewall verification failed - was able to reach https://example.com"
+    exit 1
+else
+    echo "Firewall verification passed - unable to reach https://example.com as expected"
+fi
+
+# Verify GitHub API access
+if ! curl --connect-timeout 5 https://api.github.com/zen >/dev/null 2>&1; then
+    echo "ERROR: Firewall verification failed - unable to reach https://api.github.com"
+    exit 1
+else
+    echo "Firewall verification passed - able to reach https://api.github.com as expected"
+fi
+```
+
+## Firewall rules summary
+
+| Rule | Direction | Purpose |
+|------|-----------|---------|
+| DNS (UDP 53) | Outbound | Domain name resolution |
+| SSH (TCP 22) | Outbound | Git over SSH |
+| Localhost | Both | Container-internal communication |
+| Host network | Both | Docker host ↔ container communication |
+| GitHub IPs | Outbound | Git operations, GitHub API (dynamically fetched from api.github.com/meta) |
+| npm registry | Outbound | Package installation |
+| api.anthropic.com | Outbound | Claude API calls |
+| sentry.io | Outbound | Error reporting |
+| statsig.anthropic.com | Outbound | Feature flags |
+| VS Code marketplace | Outbound | Extension downloads |
+| **Everything else** | **BLOCKED** | Default-deny with REJECT |
+
+## Verification on startup
+
+The script verifies the firewall by:
+1. Confirming `https://example.com` is **blocked** (should fail)
+2. Confirming `https://api.github.com` is **reachable** (should succeed)
+
+If either check fails, the script exits with an error and the container will not start.