Nixcage – Sandbox AI coding agents per project with Nix and direnv

Name: Nixcage – Sandbox AI coding agents per project with Nix and direnv
Availability: InStock
Author: hamidr

by hamidr·Mar 13, 2026·1 point·0 comments

Visit Project View on HN

AI Analysis

●●SolidBig BrainNiche Gem

direnv auto-activation with bubblewrap sandboxing isolates agents per project.

Strengths

•Three isolation levels (strict, standard, relaxed) balance security with workflow needs
•Debug mode captures blocked syscalls so you can tune config without guesswork
•Controls Nix store access separately—shared, readonly, copy, or fully isolated

Weaknesses

•Requires Nix and direnv setup—adds complexity for non-Nix users
•Sandbox-exec on macOS is less robust than bubblewrap's namespace isolation

Post Description

I built nixcage to solve a problem that's been bugging me: AI coding agents like Claude Code have broad access to your filesystem, network, and system. That's powerful but uncomfortable, especially on client projects or machines with sensitive data.

nixcage creates per-project sandboxes that activate automatically when you cd into a directory (via direnv). It uses bubblewrap on Linux and sandbox-exec on macOS — no VMs, no Docker, no overhead.

Three isolation levels: strict (no network, empty home), standard (project writable, network on), and relaxed (home readable, project writable).

It also controls Nix store access (shared, readonly, copy, or fully isolated) so sandboxed tools can't pollute your host store.

Quick start: nixcage init --preset claude-code && direnv allow

A debug mode captures every blocked syscall so you can see exactly what's denied and tune your config.

https://github.com/hamidr/nixcage