https://github.com/axeforging/aigate
OS-level sandbox for AI coding agents - kernel-enforced file, command, and network isolation
https://github.com/axeforging/aigate
ai-agents ai-security execution-sandbox sandboxing sandboxing-tool secure-ai secure-llm zero-trust
Last synced: 13 days ago
JSON representation
OS-level sandbox for AI coding agents - kernel-enforced file, command, and network isolation
- Host: GitHub
- URL: https://github.com/axeforging/aigate
- Owner: AxeForging
- License: mit
- Created: 2026-02-12T10:27:56.000Z (5 months ago)
- Default Branch: main
- Last Pushed: 2026-06-08T17:35:21.000Z (27 days ago)
- Last Synced: 2026-06-08T19:14:04.588Z (27 days ago)
- Topics: ai-agents, ai-security, execution-sandbox, sandboxing, sandboxing-tool, secure-ai, secure-llm, zero-trust
- Language: Go
- Homepage:
- Size: 2.99 MB
- Stars: 14
- Watchers: 1
- Forks: 1
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# aigate
**OS-level sandbox for AI coding agents.** Kernel-enforced file, command, and network isolation for Claude Code, Cursor, Copilot, Aider, and any AI tool. Like a Python venv but for AI permissions.
## TL;DR
```sh
# Install
curl -L https://github.com/AxeForging/aigate/releases/latest/download/aigate-linux-amd64.tar.gz | tar xz
sudo mv aigate-linux-amd64 /usr/local/bin/aigate
# Install sandbox dependencies (Linux)
sudo dnf install bubblewrap slirp4netns # Fedora / RHEL
# sudo apt install bubblewrap slirp4netns # Ubuntu / Debian
# Set up sandbox
sudo aigate setup # One-time: create OS group/user for ACLs
aigate init # Create default config
aigate doctor # Verify prerequisites
# Add restrictions
aigate deny read .env secrets/ *.pem
aigate deny exec curl wget ssh
# Run any AI tool inside the sandbox
aigate run -- claude
aigate run -- cursor
```
## Why?
AI coding tools rely on application-level permission systems that can be bypassed. For GDPR/ISO/security-regulated companies, that's not enough. aigate uses the OS kernel as the trust boundary:
| Approach | Enforced by | Bypassable? |
|----------|-------------|-------------|
| .claudeignore | App | Yes (proven broken) |
| permissions.deny | App | Theoretically |
| **aigate (ACLs + namespaces)** | **Kernel** | **No** |
## Features
- **File isolation** - POSIX ACLs (Linux) / macOS ACLs deny read access to secrets
- **Process isolation** - Bubblewrap (`bwrap`) + mount namespaces isolate the sandbox declaratively (Linux); Seatbelt on macOS
- **Network isolation** - `bwrap --unshare-net` + `slirp4netns` + `iptables` (+ `ip6tables` for IPv6 when available) restrict egress to allowed domains (Linux)
- **Command blocking** - Deny execution of dangerous commands (curl, wget, ssh)
- **Output masking** - Redact secrets (API keys, tokens) from stdout/stderr before they reach the terminal
- **Audit log + dashboard** - Every run and blocked command is recorded to `~/.aigate/audit.jsonl`; `aigate serve` exposes a local web dashboard over it
- **Tool-agnostic** - Works with any AI tool: Claude Code, Cursor, Copilot, Aider
- **Sensible defaults** - Ships with deny rules for .env, secrets/, .ssh/, *.pem, etc.
- **Project-level config** - `.aigate.yaml` extends global rules per project
## Documentation
| Audience | Link |
|----------|------|
| **Users** | [docs/user/README.md](docs/user/README.md) - Installation, usage, examples |
| **AI Assistants** | [docs/AI/README.md](docs/AI/README.md) - Architecture, testing, common tasks |
---
## Commands
```sh
sudo aigate setup # Create OS group/user (one-time)
aigate init # Create default config
aigate doctor # Check prerequisites and isolation mode
aigate deny read .env secrets/ *.pem # Block file access
aigate deny exec curl wget ssh # Block commands
aigate deny net --except api.anthropic.com # Restrict network
aigate allow read .env # Remove a deny rule
aigate run -- claude # Run AI tool in sandbox
aigate status # Show current rules
aigate serve # Local web dashboard over the audit log
aigate help-ai # Show AI-friendly usage examples
aigate reset --force # Remove everything
```
## How It Works

See [docs/user/README.md](docs/user/README.md) for detailed architecture diagrams covering file isolation, network isolation (Linux & macOS), and process isolation.
## Configuration
Global config (`~/.aigate/config.yaml`) is created by `aigate init` with defaults. Extend per-project with `.aigate.yaml`:
```yaml
# .aigate.yaml (in project root)
deny_read:
- "terraform.tfstate"
- "vault-token"
allow_net:
- "registry.terraform.io"
```
## Exit Codes
| Code | Meaning |
|------|---------|
| 0 | Success |
| 1 | Error |
## License
MIT - see [LICENSE](LICENSE)