AI coding agents are useful, but in a corporate environment they are often too privileged by default.
They can read files, edit code, run commands, inherit environment variables, and talk to the network. I wanted a smaller trust boundary for tools like Claude Code and Codex CLI.
So I built compartment, a small Linux process isolation toolkit with:
- compartment-user — rootless confinement using Landlock, seccomp, and no_new_privs
- compartment-root — stronger namespace-based isolation when needed
- one shared profile format
- zero external dependencies
This is also a rebuild of an old idea. Back in 2003, I wrote shell-guard, a wrapper that intercepted shell execution and applied policy early. Modern Linux finally has the kernel primitives to do that idea properly.
I built compartment primarily for AI-agent sandboxing, but the same logic also applies to other semi-trusted local tools, including SSH.
Small tool. Explicit policy. Lower blast radius.
- GitHub: github.com/nmicic/compartment
- README: github.com/nmicic/compartment#readme
Top comments (0)