Sandboxing for AI coding agents · Linux + macOS

Sandbox the agent. Keep your dev env.

Docker and VMs isolate by replacing your environment - fresh shell, no mise, no editor config, slow rebuilds. So most people skip isolation entirely. devsandbox brings your real shell, mise-managed tools, and editor setup into a per-project sandbox. Your ~/.ssh, cloud credentials, and other projects stay invisible. 

mise use -g github:zekker6/devsandbox
Get started Source

Open source · MIT · Sub-second startup on Linux (bubblewrap) · Docker-backed on macOS

/ 01 - the DX gap

Most isolation tools make you rebuild your dev env from zero.

Spin up a Docker container or VM and you land in a stranger's machine: bash with no aliases, no mise, no editor, no prompt. Reinstall everything, fight file watchers, eat 10-30s cold starts. Eventually you give up and let the agent run on the host. devsandbox closes that gap.

Docker · VM

  • Fresh shell - no aliases, no history, no prompt
  • Reinstall every tool inside the container
  • Editor + LSP configs (nvim, helix, vscode) gone
  • mise, starship, tmux - gone
  • 10-30s cold start, slow rebuilds
  • File-watching breaks across the VM boundary

devsandbox

  • Your shell, your aliases, your history
  • mise tools mounted read-only - Go, Node, Python, all of it
  • Editor + LSP configs come along, untouched
  • Starship, tmux, nvim, fish, zsh - all preserved
  • Sub-second restart on Linux, 1-2s on macOS
  • Native file watching - bubblewrap shares the host kernel

/ 02 - how it works

Wrap any command. Inherit your env. Block the rest.

  1. 01 · wrap

    Prefix the command.

    The directory you run devsandbox from becomes the sandbox root. Everything outside it is gone.

    cd ~/projects/my-app
devsandbox claude --dangerously-skip-permissions

  2. 02 · inherit

    Your env follows you in.

    mise tools, shell configs, editor and prompt - auto-detected, bound read-only. No reinstall, no Dockerfile, no mise install twice.

    # inside the sandbox
mise ls            # your real toolchain
which nvim         # your real editor
echo $STARSHIP_*   # your real prompt

  3. 03 · isolate

    Credentials stay out.

    SSH keys, cloud creds, .env, sibling projects - invisible. .git is read-only by default. Now --dangerously-skip-permissions actually means something.

    ls ~/.ssh
# No such file or directory

cat .env
# (empty - masked with /dev/null)

  4. 04 · observe

    Network, on your terms.

    Add --proxy to log every HTTP call. Block, allow, or interactively approve domains as the agent runs.

    devsandbox --proxy claude --dangerously-skip-permissions
devsandbox logs proxy --last 50

/ 03 - security baseline

Zero-config defaults. Reach what isn't mounted.

DX is the headline; isolation is the floor. The defaults are tuned so that an agent inside a fresh sandbox can do its job and nothing more - no flags required.

read · write · inherit

  • Your project directory
  • mise-managed tools (read-only)
  • Shell, editor, prompt configs (read-only)

blocked by default

  • ~/.ssh - keys, known_hosts
  • ~/.aws, ~/.azure, ~/.gcloud
  • .env and .env.* (masked)
  • Parent dirs and sibling projects
  • Git commits (.git read-only)