{"id":43252478,"url":"https://github.com/zekker6/devsandbox","last_synced_at":"2026-04-01T22:52:18.751Z","repository":{"id":335811771,"uuid":"1147049778","full_name":"zekker6/devsandbox","owner":"zekker6","description":"Sandbox for running untrusted dev tools. Filesystem isolation via bubblewrap, optional MITM proxy for traffic inspection. Perfect for AI coding   assistants.","archived":false,"fork":false,"pushed_at":"2026-03-26T07:38:37.000Z","size":1473,"stargazers_count":6,"open_issues_count":3,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-27T02:39:59.338Z","etag":null,"topics":["ai-coding-assistant","bubblewrap","claude-code","development-tools","linux","mitm","namespaces","proxy","sandbox","security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zekker6.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":"roadmap.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-01T05:21:57.000Z","updated_at":"2026-03-26T07:38:40.000Z","dependencies_parsed_at":"2026-03-06T07:00:31.722Z","dependency_job_id":null,"html_url":"https://github.com/zekker6/devsandbox","commit_stats":null,"previous_names":["zekker6/devsandbox"],"tags_count":23,"template":false,"template_full_name":null,"purl":"pkg:github/zekker6/devsandbox","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zekker6%2Fdevsandbox","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zekker6%2Fdevsandbox/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zekker6%2Fdevsandbox/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zekker6%2Fdevsandbox/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zekker6","download_url":"https://codeload.github.com/zekker6/devsandbox/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zekker6%2Fdevsandbox/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31292713,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T21:15:39.731Z","status":"ssl_error","status_checked_at":"2026-04-01T21:15:34.046Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-coding-assistant","bubblewrap","claude-code","development-tools","linux","mitm","namespaces","proxy","sandbox","security"],"created_at":"2026-02-01T13:14:10.491Z","updated_at":"2026-04-01T22:52:18.743Z","avatar_url":"https://github.com/zekker6.png","language":"Go","readme":"# devsandbox\n\nSandbox your AI coding assistants. Run Claude Code, Copilot, aider, and other tools without exposing SSH keys, cloud credentials, or secrets.\n\n## The Problem\n\nAI coding assistants execute shell commands, install packages, and make network requests on your machine -- with full access to your `~/.ssh` keys, `~/.aws` credentials, `.env` secrets, and everything else. An AI agent with unrestricted access could read your `~/.ssh/id_ed25519`, exfiltrate `~/.aws/credentials` via an API call, or `rm -rf` your home directory.\n\ndevsandbox removes that risk. It wraps any command in a sandbox scoped to your current working directory -- the directory you run `devsandbox` from becomes the project root with full read/write access, while everything outside it (credentials, keys, secrets, other projects) is blocked. An optional proxy mode logs every HTTP/HTTPS request for inspection.\n\n## Prerequisites\n\ndevsandbox requires [mise](https://mise.jdx.dev/) for tool version management. Install it before proceeding.\n\n**Linux:**\n\n```bash\ncurl https://mise.jdx.dev/install.sh | sh\n```\n\nAfter installing, activate mise in your shell ([setup guide](https://mise.jdx.dev/getting-started.html)):\n\n```bash\n# bash\necho 'eval \"$(~/.local/bin/mise activate bash)\"' \u003e\u003e ~/.bashrc\n\n# zsh\necho 'eval \"$(~/.local/bin/mise activate zsh)\"' \u003e\u003e ~/.zshrc\n\n# fish\necho '~/.local/bin/mise activate fish | source' \u003e\u003e ~/.config/fish/config.fish\n```\n\nAdditionally, your kernel must support unprivileged user namespaces. Verify with:\n\n```bash\nunshare --user true\n# Should succeed silently. If it fails, see Limitations.\n```\n\n**macOS:**\n\n```bash\nbrew install mise\n```\n\nA Docker runtime is also required (ensure it is running before using devsandbox):\n- [OrbStack](https://orbstack.dev/) -- recommended for Apple Silicon (fastest startup, lowest resource usage)\n- [Docker Desktop](https://docs.docker.com/desktop/install/mac-install/) -- most widely tested\n- [Colima](https://github.com/abiosoft/colima) -- free and open-source\n\n## Quickstart\n\n**Install:**\n\n```bash\nmise use -g github:zekker6/devsandbox\n```\n\n\u003e Homebrew is not currently available. For direct binary download, see [Installation Details](#installation-details).\n\n**Sandbox your AI agent:**\n\n```bash\n# 1. cd into your project\ncd ~/projects/my-app\n\n# 2. Run Claude Code in the sandbox (scoped to ~/projects/my-app)\ndevsandbox claude --dangerously-skip-permissions\n\n# 3. Verify what's protected\ndevsandbox --info\n```\n\ndevsandbox sandboxes the current working directory -- `cd` into your project first, then run `devsandbox`. Everything after `devsandbox` is passed to the sandboxed command. `--dangerously-skip-permissions` is a Claude Code flag that skips permission prompts -- safe inside the sandbox because devsandbox provides the security boundary.\n\n**Works with:** Claude Code, GitHub Copilot, aider, Cursor, Continue, Cline, OpenCode, and any CLI-based development tool.\n\nThat's it. No config files needed. On Linux, devsandbox includes embedded binaries -- zero dependencies. On macOS, a Docker runtime is required (see [Installation Details](#installation-details)).\n\nRun `devsandbox doctor` to verify your setup.\n\n\u003e **macOS:** devsandbox runs your code inside a lightweight Linux container (Debian slim) via Docker. Your project files are mounted into the container, so edits sync bidirectionally. Ensure your Docker runtime is running before using devsandbox. The first start downloads a base Docker image (~200MB); subsequent starts reuse Docker layer caching and complete in 1-2 seconds.\n\n## What Your AI Agent CAN and CANNOT Do\n\n**CAN:** Read/write your project files, run build commands, install dependencies, make API calls (logged in proxy mode).\n\n**CANNOT:** Read SSH keys, access cloud credentials (AWS/Azure/GCloud), read `.env` secrets, see other projects, push to git (by default), or modify your system.\n\n### Security Details\n\n| Resource | Default Access |\n|---|---|\n| Project directory | Read/Write |\n| `.env` / `.env.*` files | Hidden (masked with `/dev/null`) |\n| `~/.ssh` | Not mounted |\n| `~/.aws`, `~/.azure`, `~/.gcloud` | Not mounted |\n| `~/.gitconfig` | Sanitized (user.name/email only) |\n| `.git` directory | Read-only (no commits, no credentials) |\n| mise-managed tools | Read-only |\n| Network (default) | Full access |\n| Network (proxy mode) | Isolated and logged |\n| Outgoing secrets (proxy + redaction) | Blocked or redacted |\n\nEverything is configurable. See [Configuration](docs/configuration.md) for details.\n\n## Features\n\n- **Zero-config security** -- SSH keys, cloud credentials, `.env` files, and git credentials are blocked by default\n- **Your tools, your shell** -- mise-managed tools, shell configs, editor setups (nvim, starship, tmux) all work inside the sandbox\n- **MITM proxy** -- optional traffic inspection with log viewing, filtering, and export\n- **HTTP filtering** -- whitelist/blacklist domains, or interactively approve requests one at a time\n- **Content redaction** -- scan outgoing requests for secrets, block or replace them before they leave your machine\n- **Cross-platform** -- [bubblewrap](https://github.com/containers/bubblewrap) namespaces on Linux (sub-second startup), Docker containers on macOS\n- **Per-project isolation** -- each project gets its own sandbox home, caches, and logs\n- **Git modes** -- readonly (default), readwrite (with SSH/GPG), or disabled\n- **Desktop notifications** -- sandboxed apps can send notifications to the host via XDG Desktop Portal (Linux)\n\n## How It Works\n\n**Linux:** Uses [bubblewrap](https://github.com/containers/bubblewrap) to create namespace-based isolation. No root privileges, no Docker, no system packages required -- bwrap and pasta binaries are embedded. Startup is sub-second.\n\n**macOS:** Uses Docker containers with volume mounts that mirror the bwrap behavior. Named volumes provide near-native filesystem performance. Containers are cached for 1-2 second restarts.\n\nBoth backends automatically detect your shell, tools, and editor configs and make them available read-only inside the sandbox.\n\n## Usage Examples\n\n```bash\n# Interactive sandbox shell\ndevsandbox\n\n# Run any command in the sandbox\ndevsandbox npm install\ndevsandbox go test ./...\ndevsandbox cargo build\n\n# AI assistant with traffic monitoring\ndevsandbox --proxy claude --dangerously-skip-permissions\n\n# View what the AI accessed\ndevsandbox logs proxy --last 50\n\n# Follow traffic in real-time (in a second terminal)\ndevsandbox logs proxy -f\n\n# Whitelist-only network access\ndevsandbox --proxy --filter-default=block \\\n  --allow-domain=\"*.github.com\" \\\n  --allow-domain=\"api.anthropic.com\"\n\n# Choose isolation backend explicitly\ndevsandbox --isolation=docker npm install\n\n# Ephemeral sandbox (removed after exit)\ndevsandbox --rm\n```\n\n## Git Integration\n\nBy default, `.git` is mounted read-only -- you can view history, diff, and status, but commits are blocked and no credentials are exposed.\n\n| Mode | `.git` | Commits | Credentials |\n|---|---|---|---|\n| `readonly` | read-only | blocked | none **(default)** |\n| `readwrite` | read-write | allowed | SSH, GPG, credentials |\n| `disabled` | read-write | allowed | none |\n\n```toml\n# ~/.config/devsandbox/config.toml\n[tools.git]\nmode = \"readwrite\"  # for trusted projects that need push/sign\n```\n\n## Proxy Mode -- Monitor Your AI Agent's Network Activity\n\nRoute all HTTP/HTTPS traffic through a local MITM proxy. See every API call your AI agent makes in real-time, block suspicious domains, or interactively approve each request.\n\n```bash\n# Enable proxy\ndevsandbox --proxy\n\n# View logs\ndevsandbox logs proxy --stats        # Summary statistics\ndevsandbox logs proxy --errors       # Failed requests only\ndevsandbox logs proxy --json         # JSON export for scripting\n\n# Interactive request approval\ndevsandbox --proxy --filter-default=ask\n# Then in another terminal:\ndevsandbox proxy monitor\n```\n\nOn Linux, proxy mode uses [pasta](https://passt.top/) for network namespace isolation (embedded, no install needed). On macOS, it uses per-session Docker networks.\n\nSee [Proxy Mode docs](docs/proxy.md) for filtering rules, log formats, and remote logging setup.\n\n## Installation Details\n\n**Linux:**\n\nRequirements:\n- Linux kernel with unprivileged user namespaces enabled (verify: `unshare --user true` should succeed silently)\n- No system packages required (bwrap and pasta binaries are embedded)\n\n```bash\n# Option 1: mise\nmise use -g github:zekker6/devsandbox\n\n# Option 2: Download binary\ncurl -L https://github.com/zekker6/devsandbox/releases/latest/download/devsandbox_Linux_x86_64.tar.gz | tar xz\nsudo mv devsandbox /usr/local/bin/\n```\n\nTo use system-installed binaries instead of embedded ones, set `use_embedded = false` in [configuration](docs/configuration.md).\n\nOptional system packages (fallback if embedded extraction fails). Note: the `passt` package provides the `pasta` binary used for network namespace isolation.\n\n```bash\n# Arch Linux\nsudo pacman -S bubblewrap passt\n\n# Debian/Ubuntu\nsudo apt install bubblewrap passt\n\n# Fedora\nsudo dnf install bubblewrap passt\n```\n\n**macOS:** Requires a Docker runtime -- see [Prerequisites](#prerequisites) for options.\n\n**Build from source:**\n\n```bash\n# Requires: Go 1.22+ and Task (https://taskfile.dev/)\n# Or use mise to install dependencies: mise install\ntask build\n```\n\n## Quick Reference\n\n```bash\ndevsandbox                          # Interactive sandbox shell\ndevsandbox \u003ccommand\u003e                # Run command in sandbox\ndevsandbox --proxy                  # Enable proxy mode\ndevsandbox --rm                     # Ephemeral sandbox\ndevsandbox --info                   # Show sandbox configuration\ndevsandbox doctor                   # Check installation\ndevsandbox config init              # Generate config file\ndevsandbox sandboxes list           # List all sandboxes\ndevsandbox sandboxes prune          # Remove orphaned sandboxes\ndevsandbox logs proxy               # View proxy logs\ndevsandbox logs proxy -f            # Follow logs in real-time\ndevsandbox tools list               # List available tools\ndevsandbox tools check              # Verify tool setup\ndevsandbox image build              # Build Docker image (macOS)\n```\n\n## Documentation\n\n| Page | Contents |\n|---|---|\n| [Sandboxing](docs/sandboxing.md) | Isolation backends, security model, filesystem layout, overlay mounts, custom mounts, Docker backend details |\n| [Proxy Mode](docs/proxy.md) | Traffic inspection, log viewing/filtering/export, HTTP filtering, ask mode, content redaction, remote logging |\n| [Tools](docs/tools.md) | mise integration, shell/editor/prompt setup, AI assistant configs, Git modes, Docker socket proxy |\n| [Configuration](docs/configuration.md) | Config file reference, per-project configs, conditional includes, port forwarding, credential injection |\n| [Use Cases](docs/use-cases.md) | Shell aliases, autocompletion, development workflows, security monitoring scripts |\n\n## Limitations\n\n**Linux (bwrap):**\n- Requires unprivileged user namespaces (see [Troubleshooting](docs/sandboxing.md#troubleshooting) for distro-specific guidance)\n- SELinux or AppArmor may restrict namespace operations (see [Security Modules](docs/sandboxing.md#security-modules))\n- MITM proxy may break tools with certificate pinning\n- GUI applications are not supported (no display server forwarding), but desktop notifications work via XDG Portal\n\n**macOS (Docker):**\n- Requires a running Docker daemon\n- Project directory access goes through macOS virtualization (VirtioFS/gRPC-FUSE), which may be slower for I/O-heavy operations. Sandbox-internal operations (npm install, Go builds) use named Docker volumes with near-native speed.\n- File watching (hot reload) may require polling mode. See [File Watching Limitations](docs/sandboxing.md#file-watching-limitations) for workarounds.\n- Network isolation uses HTTP_PROXY instead of pasta\n\n**Both:**\n- Docker socket access is read-only (no container creation/deletion) -- see [Tools docs](docs/tools.md#docker)\n- No nested Docker (cannot run Docker inside the sandbox)\n\n## License\n\nMIT\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzekker6%2Fdevsandbox","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzekker6%2Fdevsandbox","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzekker6%2Fdevsandbox/lists"}