// the find
akitaonrails/ai-jail
Multi-OS sandbox to run AI agents with better constraints (it is not 100% secure, but enough)
ai-jail is a Rust CLI that wraps AI coding agents (Claude Code, Codex, etc.) in OS-level sandboxes — bwrap on Linux, sandbox-exec on macOS — restricting which paths they can read or write. It is aimed at developers who want to run AI agents on real projects without giving them free rein over the home directory or system. Not a VM, not a container runtime: a process sandbox with opinionated defaults.
The Linux security stack is genuinely layered: bwrap namespaces, Landlock LSM at the VFS level, seccomp-bpf filtering ~30 dangerous syscalls, and rlimits — each layer catches things the previous one misses. The overlay maps feature is the most original idea here: mounts a sensitive directory copy-on-write so an agent can freely write to it while the original stays untouched, and the diff lands in a structured upper/ layer you can inspect and selectively promote. Distribution story is solid — Homebrew, AUR (both binary and source), Nix flake, mise, cargo — they actually thought about how developers install things. The --mask and --deny-path flags with glob support (including recursive **) for hiding .env files and secrets from agents is practical and covers a real footgun.
The macOS backend uses sandbox-exec, which Apple deprecated and could remove in any future OS release — there's no migration plan in the docs, just a note that it works today. The default mode is more porous than it looks: Docker socket auto-passes through when the socket exists, XDG_RUNTIME_DIR is exposed (which leaks host IPC), and shell environment variables including API tokens are fully inherited — easy to think you're contained when you aren't. Ubuntu 24.04+ and Debian 13+ users hit an AppArmor wall on first run, and one of the two suggested fixes (relaxing unprivileged user namespaces system-wide) is a meaningful security regression on those distros. There is no outbound network filtering in normal mode — agents can make arbitrary TCP connections unless you drop into lockdown, which also makes the project read-only and kills Docker and GPU, making it unsuitable for most real dev workflows.