NAME

hihi — ephemeral dev sandbox with VPN and inspecting proxy

SYNOPSIS

$ curl -fsSL hihi.sh | sh

macOS + Linux · needs Docker, bash, curl · then hihi up · uninstall: hihi cleanup --unlink

hihi [command] [args]

DESCRIPTION

Run CLI tools and AI agents in throwaway containers where every byte of traffic leaves through a VPN tunnel (Surfshark/OpenVPN) and passes an inspecting mitmproxy — your real IP never leaks, and you can watch exactly what your tools send. Three services, one compose project:

gateway
openvpn + mitmproxy — 127.0.0.1:8080 proxy, :8081 mitmweb, :8082 health
cli
ephemeral dev shell — node, git, python3, jq, less; AI CLIs: claude code, copilot, gh, wrangler, ollama (local + cloud). PWD mounted at ~/project
browser
ephemeral hardened Chromium via KasmVNC — http://localhost:8083, no login, localhost-only

Each cli/browser session gets a 4-hex id: container hihi-cli-run-id, prompt hihi#id.

$ hihi

  █▌ █▌ █▌  hihi 1.0.36
  ████▌ █▌  Ephemeral sandbox with VPN and inspecting proxy
  █▌ █▌ █▌  ~/.config/hihi/hihi.conf

Status
  gateway       Up 2 hours (healthy)  127.0.0.1:8080, 127.0.0.1:8081, 127.0.0.1:8082
  cli #a3f9     Up 25 minutes
  browser #3f2a Up 3 minutes          127.0.0.1:8083

Usage: hihi [command] [args] 
$ hihi cli

  █▌ █▌ █▌  hihi 1.0.36 · cli #a3f9
  ████▌ █▌  Ephemeral sandbox with VPN and inspecting proxy
  █▌ █▌ █▌  ~/code/myapp → ~/project

[cli] All traffic → gateway (172.28.0.2) → VPN
[cli] External IP: 138.199.62.144  (proxy: http://gateway:8080)
[cli] Tools: gh wrangler copilot claude ollama + git python3 jq

hihi#a3f9:~/project$ 

QUICK START

First up writes a fully-commented config template (chmod 600) — no interactive wizard. Fill in your Surfshark credentials, run up again:

$ curl -fsSL hihi.sh | sh          # install
$ hihi up                          # writes ~/.config/hihi/hihi.conf
$ vi ~/.config/hihi/hihi.conf      # set VPN_USER / VPN_PASS (VPN_LOCATION: tw-tai)
$ hihi up                          # tunnel up — then: hihi cli · hihi browser

COMMANDS

(none)
Status + help (a repo/tarball run first syncs itself to ~/.local)
up
Self-update, start gateway; first run writes a config template to fill in
down
Stop gateway
cli [cmd]
Ephemeral shell/command, all traffic via VPN (PWD → ~/project)
--port N
publish container port N to host 127.0.0.1:N (repeatable)
browser [port]
Ephemeral hardened Chromium via KasmVNC — UI on localhost:port (default 8083)
--verbose
stream KasmVNC/session logs to the console
status
Gateway state, VPN health, external IPs
logs
Follow gateway logs
cleanup
Remove hihi containers, images, volumes, network
--nocache
also docker build cache + ~/.cache/hihi (VPN bundle)
--noconfig
also the config dir (~/.config/hihi)
--unlink
also the ~/.local install — then rerun from the repo, or curl again
help
Show usage

FILES

~/.config/hihi/
per machine — hihi.conf (secrets, VPN, ports) + claude/ + ollama/ login state
~/.cache/hihi/
cached VPN bundle zip
~/.local/share/hihi/
the installed runtime; VERSION inside, hihi symlinked at ~/.local/bin

ENVIRONMENT

HIHI_CONF=path — select a different hihi.conf (extra profiles).

UPDATES

hihi.sh installs itself: any run from a repo or tarball syncs the runtime into ~/.local/share/hihi. Installed copies self-update from https://hihi.sh on hihi up — 2s probe, fail-soft, stage-then-swap, never bricks. Version is 1.0.<commit count>, shown in the banner.

REQUIREMENTS

Docker Desktop or engine, bash, curl. macOS (bash 3.2 ok) and Linux.

INSTALL / UNINSTALL

Install: curl -fsSL hihi.sh | sh — also hihi.sh/install. Uninstall: hihi cleanup --unlink.