jai: A Lightweight Sandbox for AI Agents on Linux

When AI coding assistants started wiping home directories and deleting entire drives, Stanford researchers saw a problem worth solving. The result is jai, a lightweight containment tool that sits between giving AI agents full machine access and spinning up a full virtual machine.

The security model is simple: AI agents need filesystem access to be useful, but that access has become a liability. Users report losing 15 years of family photos, having development projects wiped, and watching 100GB of files disappear after running AI tools. The common thread? Ordinary machine access turned catastrophic.

GitHub - stanford-ssi/jai: A lightweight sandbox for AI agents on Linux

The Containment Gap

There's a practical gap between trusting AI agents with your entire account and the overhead of building containers or VMs for quick tasks. jai fills this gap with a one-command approach: jai codex, jai claude, or just jai for a shell. No images to build, no Dockerfiles to maintain, no 40-flag bwrap invocations.

The tool works by creating a lightweight boundary around workflows you're already running: quick coding help, one-off local tasks, running installer scripts you didn't write. Your working directory stays writable with full read/write access, while the rest of your home directory gets protection through a copy-on-write overlay.

How It Works

Three isolation modes let you pick the right level of protection:

Casual mode runs as your user with a copy-on-write overlay on your home directory. Changes are captured without touching originals. This is the weakest protection but works with NFS home directories.

Strict mode runs as an unprivileged jai user with a separate UID. Your home directory becomes an empty private home, providing stronger confidentiality.

Bare mode runs as your user but hides your home directory entirely, giving medium protection while maintaining your credentials.

The Technical Approach

Under the hood, jai uses Linux namespaces and overlay filesystems. Your current working directory keeps full access inside the jail. Changes to your home directory are captured copy-on-write, leaving originals untouched. Temporary directories like /tmp and /var/tmp become private, while all other files are read-only.

This approach differs from containers in key ways. Docker excels at reproducible, image-based environments but requires more setup for ad-hoc sandboxing. Bubblewrap offers powerful namespace sandboxing but often turns into long wrapper scripts. Chroot isn't designed for security—it lacks mount isolation, PID namespaces, and credential separation.

The Reality Check

jai isn't a promise of perfect safety. It's a casual sandbox that reduces blast radius but doesn't eliminate all ways AI agents can harm you. Casual mode doesn't protect confidentiality. Even strict mode isn't equivalent to a hardened container runtime or VM.

When you need strong multi-tenant isolation or defense against determined adversaries, use proper containers or virtual machines. jai is for the 90% case where you want reasonable protection without the overhead.

The tool comes from the Stanford Secure Computer Systems research group and the Future of Digital Currency Initiative. It's free software with a simple goal: get people using AI more safely by making containment easier than YOLO mode.

For developers who've watched AI agents go rogue on their systems, jai offers a pragmatic middle ground. It won't stop every possible attack, but it might save your home directory from the next AI-generated shell command that goes wrong.