Running Claude Code locally is annoying since you have to deal with permissions and agents interfering with each other (and you have to be at your computer), but running Claude Code on the web is annoying because the cloud environment is so limited[1].
What if we could run Claude Code for the web but on our machines? Through the magic of Claude Code writing Claude Code code, I made a local app for this.
Announcing Clawed Burrow[2]: A web app you can run on your own home computer which runs Claude Code without permission prompts in ephemeral containers, and with the ability to install packages, run containers, use caches, and access the GPU.
Claude training a toy model using a GPU.
Permissions and Sandboxing
The runners can probably do whatever they want with the permissions of the host user they run as. There is no networking sandboxing whatsoever and an attacker can potentially convince Claude to upload any files it can see.
Claude is running with --dangerously-skip-permissions, and it has a Podman user-level socket passed in from the host to the runner container. A Docker-like socket is sufficient to view all files owned the user it runs as, which is why we don't give it a root-level socket.
For additional safety, you can run Clawed Burrow as an unprivileged user separate from your normal user account. You can sandbox this even further with systemd but I think realistically the worst thing an attacker could convince Claude to do is exfiltrate files, which you can prevent by ensuring Claude can't read your normal user's files.
Anthropic Subscriptions
By default this uses whatever authentication you have configured in the user's ~/.claude, which means it does use Claude subscriptions. I think we're allowed to subscriptions instead of API keys for this, since it's really just an elaborate tmux session running the real version of Claude Code served over HTTP, but Anthropic has a sort-of confusing policy around this so I guess we'll see.
If you work at Anthropic and don't like this, please let me know.
Features
GPU support
Presumably Anthropic doesn't offer GPUs since they're expensive, but I already have one and want to be able to use it.
Claude can actually see and use my GPU for ML training.
Claude is surprisingly OK at writing working Android code without being able to run the linters or unit tests, but it's a lot more consistent if it can.
Remote Access
Since this exposes local access to your computer (even if we do try to sandbox it), I was pretty paranoid about security, so I'm using Tailscale for remote access. To actually log into this, you need to be on the Tailscale VPN andhave a password.
Anyway, wrapping another binary with multiple levels of containers is complicated and this isn't the most reliable code I've ever worked on, but I figured I'd post about this since it's incredibly useful despite the warts and maybe other people will find it interesting too.
Running Claude Code locally is annoying since you have to deal with permissions and agents interfering with each other (and you have to be at your computer), but running Claude Code on the web is annoying because the cloud environment is so limited[1].
What if we could run Claude Code for the web but on our machines? Through the magic of Claude Code writing Claude Code code, I made a local app for this.
Announcing Clawed Burrow[2]: A web app you can run on your own home computer which runs Claude Code without permission prompts in ephemeral containers, and with the ability to install packages, run containers, use caches, and access the GPU.
Permissions and Sandboxing
The runners can probably do whatever they want with the permissions of the host user they run as. There is no networking sandboxing whatsoever and an attacker can potentially convince Claude to upload any files it can see.
Claude is running with
--dangerously-skip-permissions, and it has a Podman user-level socket passed in from the host to the runner container. A Docker-like socket is sufficient to view all files owned the user it runs as, which is why we don't give it a root-level socket.For additional safety, you can run Clawed Burrow as an unprivileged user separate from your normal user account. You can sandbox this even further with systemd but I think realistically the worst thing an attacker could convince Claude to do is exfiltrate files, which you can prevent by ensuring Claude can't read your normal user's files.
Anthropic Subscriptions
By default this uses whatever authentication you have configured in the user's ~/.claude, which means it does use Claude subscriptions. I think we're allowed to subscriptions instead of API keys for this, since it's really just an elaborate tmux session running the real version of Claude Code served over HTTP, but Anthropic has a sort-of confusing policy around this so I guess we'll see.
If you work at Anthropic and don't like this, please let me know.
Features
GPU support
Presumably Anthropic doesn't offer GPUs since they're expensive, but I already have one and want to be able to use it.
Docker
Docker support is actually through Podman, which lets us run as a normal user instead of root.
Gradle (Android)
I expect this to be fixed in real Claude Code one day, but their current network setup breaks Gradle in a way that I can't find any workaround for.
Remote Access
Since this exposes local access to your computer (even if we do try to sandbox it), I was pretty paranoid about security, so I'm using Tailscale for remote access. To actually log into this, you need to be on the Tailscale VPN and have a password.
Anyway, wrapping another binary with multiple levels of containers is complicated and this isn't the most reliable code I've ever worked on, but I figured I'd post about this since it's incredibly useful despite the warts and maybe other people will find it interesting too.
Things you can't do in Claude Code's cloud environment:
Claude suggested that a burrow was the very far from a cloud, and I had a good logo idea.