Go hard on agents, not on your filesystem.

Use jai for effortless containment of AI agents on Linux.

People are already reporting lost files, emptied working trees, and wiped home directories after giving AI tools ordinary machine access.

There's a gap between giving an agent your real account and stopping everything to build a container or VM. jai fills that gap. One command, no images, no Dockerfiles — just a light-weight boundary for the workflows you're already running: quick coding help, one-off local tasks, running installer scripts you didn't write.

Use AI agents without handing over your whole account. jai gives your working directory full access and keeps the rest of your home behind a copy-on-write overlay — or hidden entirely.

One-line installer scripts, AI-generated shell commands, unfamiliar CLIs — stop running them against your real home directory. Drop jai in front and the worst case gets a lot smaller.

No images to build, no Dockerfiles to maintain, no 40-flag bwrap invocations. Just jai your-agent. If containment isn't easier than YOLO mode, nobody will bother.

Features

• Prefix your command: jai codex, jai claude, or just jai for a shell.
• CWD stays writable: Your working directory keeps full read/write access inside the jail.
• Home is an overlay: Changes to your home directory are captured copy-on-write. Originals are untouched.
• Rest is locked down: /tmp and /var/tmp are private. All other files are read-only.

Isolation Levels

| Feature | Casual | Strict | Bare | |---|---|---|---| | Home directory | Copy-on-write overlay | Empty private home | Empty private home | | Process runs as | Your user | Unprivileged jai user | Your user | | Confidentiality | Weak — most files readable | Strong — separate UID | Medium — your UID, but home hidden | | Integrity | Overlay protects originals | Full isolation | Full isolation | | NFS home support | Yes | No | Yes |

jai is free software, brought to you by the Stanford Secure Computer Systems research group and the Future of Digital Currency Initiative. The goal is to get people using AI more safely.

jai is not trying to replace containers. It fills a different niche. Unlike Docker, it is designed for ad-hoc sandboxing of host tools without image overhead. Unlike chroot, it provides real isolation via namespaces.

Security Note: jai is a casual sandbox — it reduces the blast radius, but does not eliminate all the ways AI agents can harm you or your system. When you need strong multi-tenant isolation or defense against a determined adversary, use a proper container or virtual machine.