Tools to let coding agents access the shell with opinionated defaults.
sandbox— nsjail-based execution sandbox. The container boundary is the primary security model: the agent runs with full freedom inside the sandbox but cannot access host credentials or mutate the host filesystem.command_filter— rule language and filter for host-side command execution. Complements sandboxing by narrowly delegating specific CLI capabilities the agent may use with the user's ambient credentials.grpc_exec— gRPC service for streaming command execution over Unix sockets.mcpmux— MCP proxy for developing and testing MCP servers. The agent can edit a server, start it throughmcpmux, and exercise it through the same MCP session — a full edit-test cycle.
File access is out of scope. Agents use their native file tools for that.
The sandbox boundary can be drawn at different points.
Agent inside the sandbox. The agent process runs inside sandbox and
executes commands freely; the container wall is the only boundary.
command_filter governs any host-side commands the agent is granted.
Agent outside the sandbox. The agent runs on the host and sends commands
to grpc_exec inside the sandbox over a Unix socket. command_filter
is not needed for sandboxed execution but may still govern other host-side
commands.
Builds and tests are hermetic via Bazel. The main development loop is:
bazel test //...This builds everything and runs all tests. Bazel's caching makes repeated runs fast — only targets affected by your edits are rebuilt.
bazel coverage //... --combined_report=lcovThe combined LCOV report is printed at the end of the output. To render it as HTML:
genhtml --output coverage-html "$(bazel info output_path)/_coverage/_coverage_report.dat"bazel build //dist packages the binaries into a single tarball.
Apache-2.0
Caution
This is not an officially supported Google product.