jaiRun the agent. Keep your files.
Don't YOLO your file system. jai is a super-lightweight Linux sandbox for AI agents and coding assistants on the machine you already use.
Skip to content
This is not hypothetical.
People are already reporting lost files, emptied working trees, and wiped home directories after giving AI tools ordinary machine access.
There's a gap between giving an agent your real account and stopping everything to build a container or VM. jai fills that gap. One command, no images, no Dockerfiles — just a lighter-weight boundary for the workflows you're already running: quick coding help, one-off local tasks, running installer scripts you didn't write.
Your files, your rules
Use AI agents without handing over your whole account. jai gives your working directory full access and keeps the rest of your home behind a copy-on-write overlay — or hidden entirely.
Stop trusting blindly
One-line installer scripts, AI-generated shell commands, unfamiliar CLIs — stop running them against your real home directory. Drop jai in front and the worst case gets a lot smaller.
Containment shouldn't be hard
No images to build, no Dockerfiles to maintain, no 40-flag bwrap invocations. Just jai your-agent. If containment isn't easier than YOLO mode, nobody will bother.
How it works
One command. No setup beyond jai --init.
1
Prefix your commandjai codex, jai claude, or just jai for a shell.
2
CWD stays writable
Your working directory keeps full read/write access inside the jail.
3
Home is an overlay
Changes to your home directory are captured copy-on-write. Originals are untouched.
4
Rest is locked down/tmp and /var/tmp are private. Everything else is read-only.
Three modes
Pick the level of isolation that fits your workflow.
| Casual | Strict | Bare | |
|---|---|---|---|
| Home directory | Copy-on-write overlay | Empty private home | Empty private home |
| Process runs as | Your user | Unprivileged jai user | Your user |
| Confidentiality | Weak — files readable | Strong — separate UID | Weak — your UID |
| Integrity | Overlay protects originals | Full isolation | Full isolation |
| NFS support | Yes | No | Yes |
| Default when | Unnamed jails | Named jails | NFS fallback |
Free software, not a funnel
jai is free software. There is no hosted tier, usage meter, or “contact sales” step hiding behind the download. The point is simpler than that: give people a practical local sandbox they can run themselves, inspect themselves, and keep using without getting pushed toward a service.
Versus the alternatives
jai is not trying to replace containers. It fills a different niche.
Docker
Great for reproducible, image-based environments. Heavier to set up for ad-hoc sandboxing of host tools. No overlay-on-home workflow.
bubblewrap
Powerful namespace sandbox. Requires explicitly assembling the filesystem view — often turns into a long wrapper script, which is the friction jai removes.
chroot
Not a security mechanism. No mount isolation, no PID namespace, no credential separation. Linux documents it as not intended for sandboxing.
jai is not a promise of perfect safety.
jai is a casual sandbox — it reduces blast radius, not eliminates it. Casual mode does not protect confidentiality. Even strict mode is not equivalent to a hardened container runtime or VM. When you need strong multi-tenant isolation or defense against a determined adversary, use a proper container or virtual machine. Read the full security model →