greywall

The tool provides a container‑free sandbox that denies all filesystem and network access by default, allowing only explicitly permitted resources. It enforces isolation through Linux kernel mechanisms such as Bubblewrap namespaces, Landlock, Seccomp BPF, eBPF monitoring, and a TUN‑based network capture, and on macOS it offers comparable restrictions. Users can run arbitrary commands, AI coding agents, or development tools inside the sandbox, with optional routing of network traffic through a transparent proxy that includes a live allow/deny dashboard.

Built‑in profiles simplify sandboxing for popular AI coding assistants, and a learning mode can trace a command’s actual resource usage and automatically generate a least‑privilege configuration. The system also blocks dangerous commands like recursive deletions or forced Git pushes, and it supports custom command deny rules.

Installation is available via Homebrew, a shell script, Go install, or source build, and the package includes a dependency checker and utilities for managing the accompanying proxy component. The sandbox is intended for developers who need to run AI‑driven code safely on Linux or macOS without the overhead of full containers.