Fine-grained HTTP filtering for Claude Code (ammar.io)

Coder engineer announced httpjail, a lightweight HTTP(S) interception + process-level network isolation tool designed to give fine-grained outbound filtering for coding agents (e.g., Claude). It’s meant to reduce common agent risks—destructive actions, leaking secrets, or overbroad authority—by letting operators write rules as JavaScript expressions or shell checks (examples: allow only api.anthropic.com, allow only GET, or whitelist hosts from a file). Unlike brittle IP-based controls, httpjail inspects requests and can enforce or suggest routing to a proxy, making agentic development safer and more governable across teams and deployments. Technically, httpjail offers two modes: a strong mode (Linux/macOS with network namespaces + nftables redirect and forced proxying) and a weak mode (macOS default, relies on HTTP_PROXY env vars). It performs full TLS interception via a generated CA (~/.config/httpjail/) and on-the-fly ECDSA P-256 certs (cached for performance), supports both transparent and CONNECT proxy flows, and injects common CA env vars for tools (curl, git, Node, Python). It also has a --docker-run helper to combine network and filesystem isolation and a server mode for centralized enforcement. Limitations include trivial weak-mode escapes, possible filesystem-based breakout (e.g., Docker socket), and the need to trust the generated CA. Source is available on GitHub and installable via cargo.