heri16 heri16

Intercepting & Controlling Network Traffic for Claude Code

Inspect decrypted HTTPS traffic from a macOS guest VM, with per-domain breakpoints and firewall control on the host.

Prerequisites

Install on the host Mac before starting:

Proxyman: proxyman.io
Vallum: vallumfirewall.com

Why

See article: Devcontainers, Little Snitch, macOS TCC - protecting developer laptops

How To

Install Secretive using brew install --cask secretive, then launch Secretive App.
Create a new secret that requires authentication, named gitsign. You will need to perform biometric authentication each time this key is used.

What

This is open-source code that lets you secure or mask numbers (within Postgresql DB) for use as unique IDs that are 6-digits or more.

This is what they look like:

https://example.com/order/053124

What

This is open-source code that lets you generate short unique identifiers from numbers (within Postgres DB). These IDs are URL-safe, can encode several numbers, and do not contain common profanity words.

This is what they look like:

https://example.com/order/FHxkSB1ai

Captive Portal Detection

Browsers:

captive.apple.com, www.apple.com, clients3.google.com, clients4.google.com, connectivitycheck.gstatic.com, www.gstatic.com, edge-http.microsoft.com, msftconnecttest.com, detectportal.brave-http-only.com, detectportal.firefox.com, spectrum.s3.amazonaws.com, cloudflareportal.com, cloudflarecp.com, cloudflareok.com, connectivity-check.warp-svc, connectivity.cloudflareclient.com

See:

https://captivebehavior.wballiance.com/

	docker run --rm -v "$(pwd)"/bin/:/builder/bin -it ghcr.io/openwrt/sdk:ipq40xx-generic-24.10.5

	# inside the Docker container
	[ ! -d ./scripts ] && ./setup.sh

	# See: https://openwrt.org/docs/guide-developer/toolchain/using_the_sdk#load_package_lists
	./scripts/feeds update base
	./scripts/feeds update packages
	#./scripts/feeds update -a
	#./scripts/feeds uninstall -a

	# Set public ip address of VPS
	NODE_IP=103.90.238.200

	# Setup modern TERM
	infocmp -x xterm-ghostty \| ssh "nonroot@${NODE_IP}" -- tic -x -
	infocmp -x xterm-ghostty \| ssh "nonroot@${NODE_IP}" -- sudo tic -x -

	# Connect via ssh
	ssh "nonroot@${NODE_IP}"

	#!/bin/zsh

	# Install dangerzone
	brew install --cask dangerzone

	/Applications/Dangerzone.app/Contents/MacOS/dangerzone-cli --set-container-runtime podman
	podman machine init -v "${HOME}/Library/Caches:${HOME}/Library/Caches"
	podman machine start

	echo '<?xml version="1.0"?><svg xmlns="http://www.w3.org/2000/svg" width="1" height="1"/>' > empty.svg

	#!/bin/bash
	# Setup podman virtual machine with no bind mounts: `podman machine init -v ''`.
	# Start podman virtual machine: `podman machine start`.
	# Connect to podman machine: `podman machine ssh`.

	# Install latest release of gVisor
	# See: https://gvisor.dev/docs/user_guide/install/
	(
	set -e
	ARCH=$(uname -m)

	#!/bin/sh
	CF_API_TOKEN="redacted"

	# check api token is valid
	curl -X GET "https://api.cloudflare.com/client/v4/accounts/8bb6305b489fc12377ff03ffbcbadbc6/tokens/verify" \
	-H "Authorization: Bearer $CF_API_TOKEN" \
	-H "Content-Type:application/json"

	# reset to defaults (includes weak ciphers)
	curl --request PATCH \