Isolated dev environments

Coming soon

jailwarden

Run a coding agent in bypass-permissions mode inside a disposable jail — with zero risk to your host machine.

Coming soon

0

risk to your host machine

How it works

A shared warden (firewall: nft + squid + unbound + DNAT) guards disposable non-root jails. State on the host is the single source of truth; everything is rendered and hot-applied from it.

topologie · egress
LAN / Internet egress terminus egress ↑ allowlist WARDEN egress filter · single chokepoint nft squid unbound DNAT render · hot-apply → host ~/.jailwarden source of truth .254.254.254 jail 1 10.10.1.0/24 agent · bypass NON-ROOT VM jail 2 10.10.2.0/24 agent · bypass NON-ROOT VM jail N 10.10.N.0/24 agent · bypass NON-ROOT VM ⊘ neighbours blocked · host & LAN unreachable — nft default-deny active node render / control isolated from each other

What it does

Proven isolation

jw verify checks each guarantee one by one: single NIC, allowlist egress, host and LAN unreachable, neighbour jails blocked.

Hot multi-jails

Add or remove jails without restarting the warden (QMP hotplug). Many agents run in parallel behind one firewall.

Full agent workflow

jw shell | agent | review | push | sync: the repo enters by seed, the work comes out via review/push from the host.

Controlled egress

Everything goes through a per-jail domain allowlist proxy, per-jail DNS, and default-deny on the rest.

Flow observability

jw flows unifies nft / squid / unbound verdicts: see exactly what is blocked and why.

Claude Code plugin

Drive jw in natural language via the /jw skill: probe, explain, plan, confirm, execute.

Preview

shell 
jw create dev --profile web-dev --repo ~/dev/myproject
jw warden up -f      # the shared firewall
jw up dev -f         # boot + provisioning + clone
jw verify dev        # 7/7 PASS (10/10 with a 2nd jail)