Secure AI CLI sandbox

Run every AI CLI in a sealed container.

Claude Code, Codex, and Gemini — isolated from your host machine. Go --yolo safely: skip every permission prompt without handing an agent the keys to your laptop.

Get started
$ npm i -g @zzev/aibox
100% isolated
non-root
caps dropped
open source
aibox — zsh
$ npm i -g @zzev/aibox
$ cd ~/project && aibox --yolo
▸ sealed container up · non-root (uid ai)
▸ caps dropped · ssh mounted read-only
▸ claude · codex · gemini  ready
ai@aibox:~/project$

Why aibox

Isolation without the friction

Everything the AI CLIs can touch is contained. Everything you need — git, SSH, your project — stays right where you expect it.

Multi-CLI support

Claude Code, Codex, and Gemini in one container. Switch tools with a single flag.

Secure by default

Non-root user, dropped capabilities, full filesystem isolation. Your host stays untouched.

Multi-account

Separate profiles for work, personal, or client projects. Keep credentials cleanly apart.

Git that just works

SSH keys mounted read-only, macOS-compatible. Commit and push without leaving the box.

Resource limits

Capped at 2 CPU and 4 GB. A runaway agent can't exhaust your machine.

One-command setup

A single docker-compose service. No config files to babysit — run aibox and you're in.

Quick start

Up and running in seconds

Install the CLI, drop into any project, and you're inside a sealed container — no Dockerfiles to write.

  1. 1

    Install the CLI

    $ npm i -g @zzev/aibox
  2. 2

    Enter your project

    $ cd ~/project
  3. 3

    Launch the sandbox

    $ aibox
aibox — example
# interactive shell (default)
$ aibox
# or launch a specific CLI
$ aibox -t codex
$ aibox -t gemini
# skip every permission prompt
$ aibox --yolo
▸ sealed · caps dropped · ready
Docker
Docker + Compose, installed and running.
Node 18+
For the npm global install.
SSH keys
Optional — for git operations.

Usage

Everyday commands

From a quick shell to multi-account workflows — the whole surface is a handful of flags.

Basic
# interactive shell (default)
$ aibox
# launch a specific CLI
$ aibox -t codex
$ aibox -t gemini
# skip every permission prompt
$ aibox --yolo
Multi-account
# create isolated profiles
$ aibox -p work
$ aibox -p personal
# run under a given account
$ aibox -a work -t codex
$ aibox -a personal -t claude
~/.aibox/profiles/ · work.toml · personal.toml
Updates
# pull the latest image
$ aibox --update
# update a single account
$ aibox -a work --update
# or pull manually
$ docker pull ghcr.io/zzev/aibox:latest
Cleanup
# remove orphaned containers
$ aibox --clean
# list running boxes
$ docker ps -a --filter name=aibox
# force-remove one
$ docker rm -f aibox-default

Security model

Isolated by construction

The container runs unprivileged and locked down. Your keys, your files, and your host stay yours.

Supported CLIs
cc
Claude Code
Anthropic's coding agent
cx
Codex
OpenAI's code CLI
gm
Gemini
Google's AI CLI
Hardening on by default
User
non-root · uid ai
Capabilities
all dropped
Filesystem
isolated
Network
isolated
CPU
2 cores
Memory
4 GB
SSH mounts
read-only