Mensfeld/code-on-incus: Give each AI agent its own isolated machine Developer Maciej Mensfeld released Code on Incus (COI), an open-source tool that gives each AI coding agent its own isolated system container with root access, Docker, and active security monitoring. The tool automatically detects and blocks suspicious activities like reverse shells and credential exfiltration, and supports tools including Claude Code, opencode, and pi.dev. Isolated machines for AI coding agents - with active defense. COI gives each AI agent its own machine - a full system container with root access, systemd, Docker, and the ability to install anything. Agents work like they would on a real server: run services, manage packages, use cron - without touching your actual system. Files stay correctly owned, no permission hacks needed. Your credentials stay on the host. SSH keys, environment variables, and Git tokens are never exposed to AI tools unless you explicitly mount them. If something goes wrong, COI catches it - reverse shells, credential scanning, data exfiltration - and pauses or kills the container automatically. No manual intervention needed. Built by developers, for developers who run AI agents and want to know what those agents are doing. Not a product, not a startup - a tool that does the job. - You run AI coding agents and want them to have full machine access - root, Docker, package managers, services - without risking your host - You want to know when an agent does something suspicious, not find out after the fact - You run multiple agents in parallel and need them isolated from each other - You want persistent dev environments that survive restarts and reboots, not throwaway containers that lose your setup every time - You care about your credentials not ending up inside an agent-controlled environment https://www.youtube.com/watch?v=t78-JUnTK5Q Watch the BetterStack video about Code on Incus Who this is for who-this-is-for Supported AI Coding Tools supported-ai-coding-tools Supported Tools detailed https://github.com/mensfeld/code-on-incus/wiki/Supported-Tools Features features Quick Start quick-start Why Incus Instead of Docker or Docker Sandboxes? why-incus-instead-of-docker-or-docker-sandboxes Installation installation macOS Support macos-support Usage usage Run Scripts and Commands in the Sandbox run-scripts-and-commands-in-the-sandbox Session Resume session-resume Persistent Mode persistent-mode Configuration configuration Profiles profiles Resource and Time Limits https://github.com/mensfeld/code-on-incus/wiki/Resource-and-Time-Limits Container Lifecycle & Session Persistence https://github.com/mensfeld/code-on-incus/wiki/Container-Lifecycle-and-Sessions Network Isolation network-isolation Security Monitoring security-monitoring Security Best Practices https://github.com/mensfeld/code-on-incus/wiki/Security-Best-Practices Snapshot Management https://github.com/mensfeld/code-on-incus/wiki/Snapshot-Management System Health Check https://github.com/mensfeld/code-on-incus/wiki/System-Health-Check Troubleshooting https://github.com/mensfeld/code-on-incus/wiki/Troubleshooting FAQ https://github.com/mensfeld/code-on-incus/wiki/FAQ Currently supported: Claude Code default - Anthropic's official CLI tool opencode - Open-source AI coding agent https://opencode.ai https://opencode.ai pi - AI coding assistant https://pi.dev https://pi.dev Coming soon: - Aider - AI pair programming in your terminal - Cursor - AI-first code editor - And more... Tool selection is config/profile-driven: ~/.coi/config.toml or ./.coi/config.toml tool name = "opencode" or "claude" default , "pi" coi shell Uses the configured tool Claude Code by default coi shell --profile opencode Or switch via a profile with tool name = "opencode" Permission mode - Control whether AI tools run autonomously or ask before each action: ~/.coi/config.toml or .coi/config.toml tool name = "claude" Default AI tool permission mode = "bypass" "bypass" default or "interactive" See the Supported Tools wiki page https://github.com/mensfeld/code-on-incus/wiki/Supported-Tools for detailed configuration, API key setup, and adding new tools. Core Capabilities - Multi-slot support - Run parallel AI coding sessions for the same workspace with full isolation - Session resume - Resume conversations with full history and credentials restored workspace-scoped - Persistent containers - Keep containers alive between sessions installed tools preserved - Workspace isolation - Each session mounts your project directory - Slot isolation - Each parallel slot has its own home directory files don't leak between slots Workspace files persist even in ephemeral mode - Only the container is deleted, your work is always saved- Container snapshots - Create checkpoints, rollback changes, and branch experiments with full state preservation Host Integration - SSH agent forwarding - Use git-over-SSH inside containers without copying private keys ssh forward agent = true - Host port publishing - Publish container TCP ports on the host ports pool for identity-mapped agent-usable ports, ports.map for fixed services : agent-started dev servers become reachable at localhost: