code-on-incus (coi)

Isolated machines for AI coding agents - with active defense.

COI gives each AI agent its own machine - a full system container with root access, systemd, Docker, and the ability to install anything. Agents work like they would on a real server: run services, manage packages, use cron - without touching your actual system. Files stay correctly owned, no permission hacks needed.

Your credentials stay on the host. SSH keys, environment variables, and Git tokens are never exposed to AI tools unless you explicitly mount them. If something goes wrong, COI catches it - reverse shells, credential scanning, data exfiltration - and pauses or kills the container automatically. No manual intervention needed.

Built by developers, for developers who run AI agents and want to know what those agents are doing. Not a product, not a startup - a tool that does the job.

Who this is for

• You run AI coding agents and want them to have full machine access - root, Docker, package managers, services - without risking your host
• You want to know when an agent does something suspicious, not find out after the fact
• You run multiple agents in parallel and need them isolated from each other
• You want persistent dev environments that survive restarts and reboots, not throwaway containers that lose your setup every time
• You care about your credentials not ending up inside an agent-controlled environment

Table of Contents

• Who this is for
• Supported AI Coding Tools
• Supported Tools (detailed)
• Features
• Quick Start
• Why Incus Instead of Docker or Docker Sandboxes?
• Installation
• macOS Support
• Usage
• Session Resume
• Persistent Mode
• Configuration
• Profiles
• Resource and Time Limits
• Container Lifecycle & Session Persistence
• Network Isolation
• Security Monitoring
• Security Best Practices
• Snapshot Management
• System Health Check
• Troubleshooting
• FAQ

Supported AI Coding Tools

Currently supported:

• Claude Code (default) - Anthropic's official CLI tool
• opencode - Open-source AI coding agent (https://opencode.ai)

Coming soon:

• Aider - AI pair programming in your terminal
• Cursor - AI-first code editor
• And more...

Tool selection:

coi shell                    # Uses default tool (Claude Code)
coi shell --tool opencode    # Use opencode instead

Permission mode - Control whether AI tools run autonomously or ask before each action:

# ~/.coi/config.toml or .coi/config.toml
[tool]
name = "claude"              # Default AI tool
permission_mode = "bypass"   # "bypass" (default) or "interactive"

See the Supported Tools wiki page for detailed configuration, API key setup, and adding new tools.

Features

Core Capabilities

• Multi-slot support - Run parallel AI coding sessions for the same workspace with full isolation
• Session resume - Resume conversations with full history and credentials restored (workspace-scoped)
• Persistent containers - Keep containers alive between sessions (installed tools preserved)
• Workspace isolation - Each session mounts your project directory
• Slot isolation - Each parallel slot has its own home directory (files don't leak between slots)
• Workspace files persist even in ephemeral mode - Only the container is deleted, your work is always saved
• Container snapshots - Create checkpoints, rollback changes, and branch experiments with full state preservation

Host Integration

• SSH agent forwarding - Use git-over-SSH inside containers without copying private keys ([ssh] forward_agent = true)
• Environment variable forwarding - Selectively forward host env vars by name (forward_env in config)
• Host timezone inheritance - Containers automatically inherit the host's timezone (configurable via [timezone] config)
• Sandbox context file - Auto-injected ~/SANDBOX_CONTEXT.md tells AI tools about their environment (network mode, workspace path, persistence, etc.). Automatically loaded into each tool's native context system: Claude Code via ~/.claude/CLAUDE.md, OpenCode via the instructions field in opencode.json (opt out with auto_context = false)

Security & Isolation

• Credential protection - SSH keys, .env files, Git credentials, and environment variables are never exposed unless explicitly mounted
• Privileged container guard - Refuses to start when security.privileged=true is detected, which defeats all container isolation
• Security posture verification - coi health checks seccomp, AppArmor, and privilege settings to confirm full isolation
• Kernel version enforcement - Warns on host kernels below 5.15 that may lack security features for safe isolation
• Real-time threat detection - Kernel-level nftables monitoring detects reverse shells, C2 connections, data exfiltration, DNS tunneling, and credential scanning
• Automated response - Auto-pause on HIGH threats, auto-kill on CRITICAL — no manual intervention needed
• Network isolation - Firewalld-based restricted/allowlist/open modes block private network access and prevent exfiltration
• Protected paths - .git/hooks, .git/config, .husky, .vscode mounted read-only to prevent supply-chain attacks
• Host-side immutable protection - Protected paths are locked with chattr +i during sessions, preventing unshare -m + umount bypass of read-only mounts (opt out: [security] host_immutable = false)
• Git identity guard - Containers enforce user.useConfigOnly=true, preventing AI tools from committing as the default "code" user
• Guest API disabled - Incus guest API (/dev/incus) disabled by default, preventing host path and topology leaks
• System containers - Full OS isolation with unprivileged containers, better than Docker privileged mode
• Automatic UID mapping - No permission hell, files owned correctly
• Audit logging - All security events logged to JSONL for forensics and compliance

Safe Dangerous Operations

• AI coding tools often need broad filesystem access or bypass permission checks
• These operations are safe inside containers because the "root" is the container root, not your host system
• Containers are ephemeral - any changes are contained and don't affect your host
• This gives AI tools full capabilities while keeping your system protected

Quick Start

# Install
curl -fsSL https://raw.githubusercontent.com/mensfeld/code-on-incus/master/install.sh | bash

# Build image (first time only, ~5-10 minutes)
coi build

# Start coding with your preferred AI tool (defaults to Claude Code)
cd your-project
coi shell

# Or use opencode instead
coi shell --tool opencode

# That's it! Your AI coding assistant is now running in an isolated container with:
# - Your project mounted at /workspace
# - Correct file permissions (no more chown!)
# - Full Docker access inside the container
# - GitHub CLI available for PR/issue management
# - All workspace changes persisted automatically
# - No access to your host SSH keys, env vars, or credentials

Why Incus Instead of Docker or Docker Sandboxes?

Incus is a modern Linux container and virtual machine manager, forked from LXD. Unlike Docker (which uses application containers), Incus provides system containers that behave like lightweight VMs with full init systems.

Security Comparison

| Capability | code-on-incus | Docker Sandbox | Bare Metal | |------------|-------------------|----------------|------------| | Credential isolation | Default (never exposed) | Partial | None | | Real-time threat detection | Kernel-level (nftables) | No | No | | Reverse shell detection | Auto-kill | No | No | | Data exfiltration alerts | Auto-pause | No | No | | Network isolation | Firewalld (3 modes) | Basic | No | | Protected paths | Read-only mounts | No | No | | Auto response (pause/kill) | Yes | No | No | | Audit logging | JSONL forensics | No | No | | Supply-chain attack prevention | Git hooks/IDE configs protected | No | No |

Why Incus Instead of Docker Sandboxes?

• Linux-first, not Linux-last. Docker Sandboxes' microVM isolation is only available on macOS and Windows. Linux gets a legacy container-based fallback