_____ _ _ ____
| ____|_ _(_) |_| __ ) _____ __
| _| \ \/ / | __| _ \ / _ \ \/ /
| |___ > <| | |_| |_) | (_) > <
|_____/_/\_\_|\__|____/ \___/_/\_\
By Cloud Exit / https://cloud-exit.com
Multi-Agent Container Sandbox by Cloud Exit
Run AI coding assistants (Claude, Codex, OpenCode, Qwen) in isolated containers with defense-in-depth security.
# Install (Linux/macOS) — download the latest release binary
# See Installation section below for full instructions
mkdir -p ~/.local/bin
curl -fsSL https://github.com/Cloud-Exit/ExitBox/releases/latest/download/exitbox-$(uname -s | tr A-Z a-z)-$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') -o ~/.local/bin/exitbox
chmod +x ~/.local/bin/exitbox
# Run the setup wizard (first time)
exitbox setup
# Navigate to your project
cd /path/to/your/project
# Run an agent (builds image automatically on first run)
exitbox run claude
# Or run other agents
exitbox run codex
exitbox run opencode
exitbox run qwen
ExitBox automatically:
- Builds the container image if needed
- Imports your existing config (~/.claude, ~/.codex, etc.) on first run
- Mounts your project directory
- Sets up the network firewall (Squid proxy)
exitbox-allow; host user approves via popupexitbox codex accounts.gitconfig and SSH agent for seamless git operations inside the containerGITHUB_TOKEN with automatic in-container export so gh and HTTPS git work transparentlyThe project's security posture is rated High / Robust, employing a "Defense in Depth" strategy:
http_proxy. Bypassing these variables results in immediate connection failure.403 Forbidden for blocked domains).CAP_NET_RAW and other capabilities are dropped, preventing raw socket creation and network enumeration attacks (e.g., ping is disabled).Additional hardening:
- No Privilege Escalation: --security-opt=no-new-privileges:true enforced
- Capability Dropping: --cap-drop=ALL removes all Linux capabilities
- Resource Limits: Default 8GB RAM / 4 CPUs to prevent DoS
- Secure Defaults: SSH keys (~/.ssh) and AWS credentials (~/.aws) are NOT mounted by default
ExitBox automatically injects sandbox instructions into each agent on container start. This tells the agent it is running inside a restricted container so it won't attempt actions that can't work (e.g., running docker, podman, or managing infrastructure).
Instructions are written to each agent's native global instructions file:
| Agent | Instructions file |
|---|---|
| Claude | ~/.claude/CLAUDE.md |
| Codex | ~/.codex/AGENTS.md |
| OpenCode | ~/.config/opencode/AGENTS.md |
If the file already exists (e.g., from your own global instructions), ExitBox appends the sandbox notice once. The instructions inform the agent about network restrictions, dropped capabilities, and the read-only nature of the environment so it can focus on writing and debugging code within /workspace.
ExitBox can relay Unix sockets between the host and container so editors running on the host (VS Code, Cursor, Windsurf, etc.) can communicate with agents inside the sandbox. This enables features like go-to-definition, diagnostics, and code actions to work across the container boundary.
The relay is automatic — when an agent starts, ExitBox detects running IDE instances and establishes a socket tunnel. No manual configuration is needed.
By default, containers have no access to host git credentials. Full git support mode mounts the host .gitconfig and SSH agent into the container so git operations (clone, push, pull) work transparently with your existing configuration.
# Enable per-session:
exitbox run claude --full-git-support
# Or enable permanently in the setup wizard:
exitbox setup
# → Settings → Full Git Support
When full git support is enabled and the network firewall is active, SSH traffic (e.g., git push to GitHub) is automatically tunneled through the Squid proxy. This works even without SSH_AUTH_SOCK being set on the host.
External tools are third-party CLI tools (Bun, GitHub CLI, etc.) that can be selected during setup. Their required packages are automatically installed at image build time.
# Configure via the setup wizard:
exitbox setup
# → Settings → External Tools → select tools
When GitHub CLI is selected as an external tool and the vault is enabled for the workspace, ExitBox provides seamless gh authentication:
Pre-flight prompt (host side): Before launching an agent, ExitBox checks whether GITHUB_TOKEN exists in the workspace vault. If missing, it offers to import it:
GitHub CLI is enabled but GITHUB_TOKEN is not in your vault.
Import it now? [y/N]: y
Enter vault password: ****
Paste your GitHub token: ****
✓ GITHUB_TOKEN stored in vault for workspace 'default'
Auto-export (container side): On container startup, the entrypoint fetches GITHUB_TOKEN from the vault via IPC (triggering an approval popup on the host), exports it as GH_TOKEN, and runs gh auth setup-git to configure git credential helpers. This means gh commands and HTTPS git operations authenticate transparently.
# Inside the container, these just work:
gh pr list
gh issue create --title "Bug report"
git push origin main # uses gh credential helper for HTTPS
The token is never stored in the container filesystem. Every vault read triggers a host-side approval popup, giving you full control over secret access.
OpenCode supports OAuth login for providers like Google (Gemini). The OAuth flow starts a local callback server inside the container, and ExitBox automatically publishes the callback port (8085) to the host so the browser redirect works.
exitbox run opencode -- auth login # starts OAuth flow, opens browser URL on host
exitbox run opencode -- auth logout # remove stored credentials
When the firewall is active, Google OAuth domains (google.com, googleapis.com) are included in the default allowlist. If you use a provider with a different OAuth domain, add it via exitbox-allow <domain> or the -a flag.
Codex CLI stores its login state in .codex, but ExitBox can keep multiple named Codex accounts per workspace and swap the active one without touching the rest of the workspace.
# Save the current login under a name
exitbox codex accounts save personal
# Create an empty slot for another login
exitbox codex accounts add work
# Log into that slot from your host shell
# Do not type /login inside the Codex prompt
exitbox run codex --workspace default -- login
exitbox codex accounts save work
# Switch back later
exitbox codex accounts switch personal
exitbox codex accounts list
exitbox codex accounts current
How it works:
save <name> snapshots the currently active Codex login.add <name> creates a new empty active slot and clears the current Codex login so you can run codex login.switch <name> saves the current active login back to its named slot, then restores the requested one.list shows saved accounts and whether one is current, previous, or still pending login.current shows the current and previous account names recorded for that workspace.Notes:
personal in workspace work is separate from personal in workspace default.--workspace <name> with any of these commands to manage accounts for a non-active workspace.add or switch will ask you to save it first with exitbox codex accounts save <name>.rtk wraps common CLI commands to produce compact, token-optimized output — reducing agent token consumption by 60-90%. When enabled, rtk is built from source at image build time using a musl-native Rust toolchain. It adds zero image size overhead when disabled.
# Enable via the setup wizard:
exitbox setup
# → Settings → RTK → Enable
When RTK is enabled, sandbox instructions injected into the agent automatically guide it to prefix supported commands with rtk:
rtk git status # compact git output
rtk go test ./... # compact test results
rtk ls /workspace # compact directory listing
rtk gh pr list # compact GitHub CLI output
rtk grep <pattern> # compact search results
Supported command categories: git, go, gh, grep, ls, curl, cargo, pytest, pnpm, docker, kubectl, and more. See the rtk documentation for the full list.
Agent-level management commands:
exitbox agents list # Show enabled agents and their status
exitbox agents config claude # Open agent config in $EDITOR
Note: RTK is experimental. If you encounter issues, disable it via
exitbox setupand rebuild withexitbox run <agent> --update.
Skills are reusable SKILL.md files that give agents specialized capabilities (coding conventions, deploy workflows, review checklists, etc.). ExitBox provides a universal skill installer that works across all agents. Skills are installed once per workspace and automatically linked into each agent's skill directory at container start.
# Install from a GitHub directory (fetches all files recursively)
exitbox skills install https://github.com/anthropics/skills/tree/main/skills/frontend-design
# Install from a raw URL
exitbox skills install https://example.com/path/to/SKILL.md
# Install from a local directory or file
exitbox skills install ./my-skill/
exitbox skills install ./deploy/SKILL.md
# Override the skill name
exitbox skills install https://github.com/user/repo/tree/main/skills/foo --name my-custom-name
# Install into a specific workspace
exitbox skills install ./my-skill -w work
# List and remove
exitbox skills list
exitbox skills remove frontend-design
Skills are stored at ~/.config/exitbox/profiles/global/<workspace>/skills/<name>/. On container start, ExitBox symlinks each skill into the active agent's native skill path:
| Agent | Skill path inside container
$ claude mcp add ExitBox \
-- python -m otcore.mcp_server <graph>