Agent Sandbox
Runs AI coding agents inside isolated Docker containers. Agents get no root access, no Docker socket, and no ability to escalate privileges — safe to run on your host machine.
pi
pi is an AI coding agent that runs in the terminal.
How it works
pi-dev/
├── Dockerfile # Container image with Node, pi agent, and language runtimes
└── pi # Bash wrapper that launches the container
The pi wrapper script:
- Builds the Docker image (
pi-yolo:latest) on first run, or when--buildis passed - Runs the container with strict security settings (
--cap-drop=ALL,--no-new-privileges) - Bind-mounts the current working directory so the agent can read and edit your files
- Mounts
~/.pi/agentfor persistent extensions and auth across runs - Mounts
~/.agents/skillsso skills are available inside the container - Forwards API keys and pi-related env vars from the host into the container
The container image is based on Chainguard's Node image and includes:
- Node.js + npm (for pi itself and extensions)
- Go 1.26
- PHP 8.4
- Git, curl, ca-certificates
Installation
Run the install script once to symlink pi into /usr/local/bin:
./install.sh
Then build the Docker image:
pi --build
Usage
# Run pi in the current directory pi # Rebuild the image and run pi --build # Pass flags directly to the pi agent pi -- --help
Security model
The container runs as your host UID (non-root), with all Linux capabilities dropped and no-new-privileges enforced. The agent cannot install system packages, access the Docker socket, or escape the container via privilege escalation.


























