This is not hypothetical.
People are already reporting lost files, emptied working trees, and wiped home directories after giving AI tools ordinary machine access.
There's a gap between giving an agent your real account and stopping everything to build a container or VM. jai fills that gap. One command, no images, no Dockerfiles — just a light-weight boundary for the workflows you're already running: quick coding help, one-off local tasks, running installer scripts you didn't write.
Your files, your rules
Use AI agents without handing over your whole account. jai gives your working directory full access and keeps the rest of your home behind a copy-on-write overlay — or hidden entirely.
Stop trusting blindly
One-line installer scripts, AI-generated shell commands, unfamiliar CLIs — stop running them against your real home directory. Drop jai in front and the worst case gets a lot smaller.
Containment shouldn't be hard
No images to build, no Dockerfiles to maintain, no 40-flag bwrap invocations. Just jai your-agent. If containment isn't easier than YOLO mode, nobody will bother.
How it works
One command. No setup required.
Prefix your commandjai codex, jai claude, or just jai for a shell.
CWD stays writable
Your working directory keeps full read/write access inside the jail.
Home is an overlay
Changes to your home directory are captured copy-on-write. Originals are untouched.
Rest is locked down/tmp and /var/tmp are private. All other files are read-only.
Three modes
Pick the level of isolation that fits your workflow.
| Casual | Strict | Bare | |
|---|---|---|---|
| Home directory | Copy-on-write overlay | Empty private home | Empty private home |
| Process runs as | Your user | Unprivileged jai user | Your user |
| Confidentiality | Weak — most files readable | Strong — separate UID | Medium — your UID, but home hidden |
| Integrity | Overlay protects originals | Full isolation | Full isolation |
| NFS home support | Yes | No | Yes |
Free software, not a funnel
jai is free software, brought to you by the Stanford Secure Computer Systems research group and the Future of Digital Currency Initiative. The goal is to get people using AI more safely.
Versus the alternatives
jai is not trying to replace containers. It fills a different niche.
Docker
Great for reproducible, image-based environments. Heavier to set up for ad-hoc sandboxing of host tools. No overlay-on-home workflow.
bubblewrap
Powerful namespace sandbox. Requires explicitly assembling the filesystem view — often turns into a long wrapper script, which is the friction jai removes.
chroot
Not a security mechanism. No mount isolation, no PID namespace, no credential separation. Linux documents it as not intended for sandboxing.
jai is not a promise of perfect safety.
jai is a casual sandbox — it reduces the blast radius, but does not eliminate all the ways AI agents can harm you or your system. Casual mode does not protect confidentiality. Even strict mode is not equivalent to a hardened container runtime or VM. When you need strong multi-tenant isolation or defense against a determined adversary, use a proper container or virtual machine. Read the full security model →