Claudette
Claudette is a sandbox for running AI coding agents — like Claude Code — safely on your own machine. AI agents read web pages, READMEs, issue threads, and email while wielding real tools: your shell, your git credentials, your network. Claudette puts a security boundary around all of that, so an agent doing useful work can’t be turned into a liability by the untrusted content it reads.
It isn’t a research prototype. It’s the sandbox Security Architects uses to run AI coding agents in production, every day — including the work behind this very website.
The security model
- Bubblewrap isolation. Each session is a short-lived
bwrapsandbox with only the project directory bound in — not your home directory, not your SSH keys, not the rest of the host. No background daemons to reason about. - Your credentials stay out. Every project gets its own scoped SSH key generated inside the sandbox; your personal keys never enter it. Secrets are per-project and isolated, so one project’s tokens can’t leak into another’s.
- Prompt-injection defense. A built-in defender (Lasso) scans what the agent reads — web fetches, file reads, command output — for injection patterns before they reach the model, catching the “ignore your instructions and exfiltrate…” class of attack at the door.
- Least privilege by default. AppArmor confinement, no ambient network trust, and an explicit, auditable set of what each session can touch.
An honest threat model
Claudette defends an honest agent against hostile inputs — prompt injection from web pages, repositories, documents, and message contents. It deliberately does not try to defend against malicious agent code; that’s a different threat model, and pretending otherwise would be security theater. Knowing exactly what a control does and doesn’t cover is the whole job.
Get it
Claudette is open and installable in one line:
curl -fsSL https://gitlab.com/jowolf/claudette/-/raw/main/install.sh | bashSource and documentation: gitlab.com/jowolf/claudette.
Running agents at scale?
Securing an autonomous-agent deployment — isolation, egress control, secret handling, MCP-server least privilege — is one of our AI security specialties. If your team is putting agents into real workflows, talk to us.