ai-jail: Sandboxing AI Coding Agents

This project provides a multi-OS sandbox wrapper for AI coding agents, enhancing security by isolating tools and restricting their access to explicit permissions. It targets developers and power users who need to run AI agents like Claude Code, GPT Codex, and others in a controlled environment, offering a significant benefit in preventing unintended access to host system resources.

How It Works

On Linux, ai-jail leverages bubblewrap (bwrap) to implement robust sandboxing through namespace isolation (PID, UTS, IPC, mount, network), Landlock LSM (Linux 5.13+), seccomp-bpf syscall filtering, and resource limits. This multi-layered defense-in-depth approach provides granular control and security. For macOS, it utilizes the sandbox-exec utility. The system prioritizes usability while offering a strict --lockdown mode for untrusted workloads, mounting the project read-only and disabling features like GPU and Docker passthrough.

Quick Start & Requirements

Installation is supported via Homebrew (brew install ai-jail), cargo install ai-jail, Nix, or by downloading prebuilt binaries. Building from source is also an option using cargo build --release. Linux users require bubblewrap (bwrap) to be installed. Windows users must use WSL 2, installing bubblewrap within their Linux distribution.

Highlighted Details

• Lockdown Mode: Enables strict read-only, ephemeral behavior for hostile workloads, disabling GPU, Docker, display passthrough, and mounting $HOME as a bare tmpfs.
• Status Bar: A persistent status line displays the project path, running command, ai-jail version, and update availability, even when the child application resets the screen.
• Mise Integration: Automatically trusts and activates mise environments, granting AI tools access to project-specific language versions.
• Home Directory Handling: Replaces the real $HOME with a tmpfs, selectively layering AI tool directories and build caches while hiding sensitive dotfiles like .ssh and .gnupg.

Maintenance & Community

No specific details regarding maintainers, sponsorships, or community channels (like Discord/Slack) were found in the provided README.

Licensing & Compatibility

The project is licensed under GPL-3.0. This strong copyleft license may have implications for commercial use or linking within closed-source projects. Native Windows support is not provided; users must operate within WSL 2.

Limitations & Caveats

ai-jail is not 100% secure, and its security relies on the host kernel's integrity; kernel escapes are out of scope. It provides process sandboxing, not hardware isolation like a VM. The sandbox-exec interface on macOS is deprecated. Cross-platform policy parity between Linux and macOS is approximate.