another-ai-sandbox

# AI Agent Sandbox

Rootless Podman containers to run AI coding agents (Claude Code, Codex, Cursor Agent) in isolation. Each agent runs in a hardened, read-only container with minimal capabilities, resource limits and an isolated network stack.

## Structure

```
ai-sandbox/
├── base/
│   └── Containerfile          # Base image (Fedora 43, Node.js, Python, Git, ripgrep, …)
├── bpf/
│   ├── block_commands.bpf.c   # BPF LSM program (hooks bprm_check_security)
│   ├── block_commands.h       # Shared structures (blocked_cmd_key)
│   ├── config.h               # Configuration defines (MAX_BIN_LEN, etc.)
│   ├── loader.c               # Userspace loader (libbpf skeleton)
│   ├── Makefile               # Build system for BPF program and loader
│   └── README.md              # BPF component documentation
├── claude-code/
│   └── Containerfile          # Claude Code (native installer + npm fallback)
├── codex/
│   └── Containerfile          # OpenAI Codex CLI
├── cursor-agent/
│   └── Containerfile          # Cursor Agent CLI (installed to /opt to survive tmpfs)
├── test/
│   └── test_bpf_blocker.sh   # End-to-end tests for BPF command blocker
├── install.sh                 # Installer (and uninstaller) script
├── build.sh                   # Build script for images
├── ai-sandbox                 # Wrapper to start agents
├── LICENSE                    # GPLv3
└── README.md
```

## Requirements

- [Podman](https://podman.io/) (rootless) — tested with v4+
- [passt/pasta](https://passt.top/) — network backend (default mode; `slirp4netns` works as fallback)
- Git
- cgroups v2 enabled (default on recent Fedora, Arch, Debian 12+, Ubuntu 24.04+)

The installer checks all of these automatically. See [install.sh](#install) for details.

## Quick Start

```bash
# 1. Install (checks prerequisites, builds images, installs to ~/.local/bin)
./install.sh

# 2. Configure API keys (once)
mkdir -p ~/.config/ai-sandbox
cat > ~/.config/ai-sandbox/env << 'EOF'
ANTHROPIC_API_KEY=sk-ant-...
OPENA