MCPcopy Index your code
hub / github.com/Cloud-Exit/ExitBox

github.com/Cloud-Exit/ExitBox @v0.2.3

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.2.3 ↗ · + Follow
1,197 symbols 4,634 edges 149 files 470 documented · 39%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README
  _____      _ _   ____
 | ____|_  _(_) |_| __ )  _____  __
 |  _| \ \/ / | __|  _ \ / _ \ \/ /
 | |___ >  <| | |_| |_) | (_) >  <
 |_____/_/\_\_|\__|____/ \___/_/\_\
              By Cloud Exit / https://cloud-exit.com

ExitBox

CI Coverage Go Report Card License: AGPL-3.0 Release

Multi-Agent Container Sandbox by Cloud Exit

Run AI coding assistants (Claude, Codex, OpenCode, Qwen) in isolated containers with defense-in-depth security.

Getting Started

# Install (Linux/macOS) — download the latest release binary
# See Installation section below for full instructions
mkdir -p ~/.local/bin
curl -fsSL https://github.com/Cloud-Exit/ExitBox/releases/latest/download/exitbox-$(uname -s | tr A-Z a-z)-$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') -o ~/.local/bin/exitbox
chmod +x ~/.local/bin/exitbox

# Run the setup wizard (first time)
exitbox setup

# Navigate to your project
cd /path/to/your/project

# Run an agent (builds image automatically on first run)
exitbox run claude

# Or run other agents
exitbox run codex
exitbox run opencode
exitbox run qwen

ExitBox automatically: - Builds the container image if needed - Imports your existing config (~/.claude, ~/.codex, etc.) on first run - Mounts your project directory - Sets up the network firewall (Squid proxy)

Features

  • Rootless Containers — runs without host root privileges using Podman's user namespaces (Docker fallback supported)
  • Squid Proxy Firewall — strict domain allowlisting with hard egress isolation; agents can only reach approved destinations
  • Runtime Domain Requests — agents request access to new domains at runtime via exitbox-allow; host user approves via popup
  • Encrypted Vault — AES-256 + Argon2id encrypted secret storage with per-access approval popups; agents can read and write secrets from inside the container
  • Sandbox-Aware Agents — automatic instruction injection tells agents about container restrictions, vault usage, and security rules
  • Named Resumable Sessions — save and resume agent conversations by name across container restarts
  • Multi-Agent Support — run Claude Code, OpenAI Codex, OpenCode, or Qwen Code in the same isolated environment
  • Workspace Isolation — named contexts (personal, work, client) with separate credentials, tools, and vault per workspace
  • Codex Account Switching — save and switch between multiple Codex logins inside a workspace with exitbox codex accounts
  • IDE Integration — Unix socket relay connects host editors (VS Code, Cursor, Windsurf) to agents inside the container for go-to-definition, diagnostics, and code actions
  • Full Git Support — optional mode that mounts host .gitconfig and SSH agent for seamless git operations inside the container
  • GitHub CLI Authentication — pre-flight vault import for GITHUB_TOKEN with automatic in-container export so gh and HTTPS git work transparently
  • RTK Token Optimizer (Experimental) — optional rtk integration reduces CLI output token consumption by 60-90%
  • External Tools — configure third-party tools (GitHub CLI, etc.) via the setup wizard; packages are auto-installed at image build time
  • Supply-Chain Hardened Installs — Claude Code and OpenCode installed via direct download with SHA-256 checksum verification
  • Alpine Base Image — minimal ~5 MB base with 3-layer image hierarchy and incremental rebuilds
  • Setup Wizard — interactive TUI that configures roles, languages, tools, agents, firewall, and vault in one pass
  • Cross-Platform — native binaries for Linux, macOS, and Windows

Security

The project's security posture is rated High / Robust, employing a "Defense in Depth" strategy:

  1. DNS Isolation (The "Moat"): Containers cannot resolve external domain names directly. This forces all traffic through the proxy, as the container "knows" nothing of the outside internet.
  2. Mandatory Proxy Usage: Since direct DNS fails, tools are forced to use the configured http_proxy. Bypassing these variables results in immediate connection failure.
  3. Proxy Access Control: The Squid proxy actively inspects destinations, enforcing a strict allow/deny policy (returning 403 Forbidden for blocked domains).
  4. Capability Restrictions: CAP_NET_RAW and other capabilities are dropped, preventing raw socket creation and network enumeration attacks (e.g., ping is disabled).

Additional hardening: - No Privilege Escalation: --security-opt=no-new-privileges:true enforced - Capability Dropping: --cap-drop=ALL removes all Linux capabilities - Resource Limits: Default 8GB RAM / 4 CPUs to prevent DoS - Secure Defaults: SSH keys (~/.ssh) and AWS credentials (~/.aws) are NOT mounted by default

Sandbox-Aware Agents

ExitBox automatically injects sandbox instructions into each agent on container start. This tells the agent it is running inside a restricted container so it won't attempt actions that can't work (e.g., running docker, podman, or managing infrastructure).

Instructions are written to each agent's native global instructions file:

Agent Instructions file
Claude ~/.claude/CLAUDE.md
Codex ~/.codex/AGENTS.md
OpenCode ~/.config/opencode/AGENTS.md

If the file already exists (e.g., from your own global instructions), ExitBox appends the sandbox notice once. The instructions inform the agent about network restrictions, dropped capabilities, and the read-only nature of the environment so it can focus on writing and debugging code within /workspace.

IDE Integration

ExitBox can relay Unix sockets between the host and container so editors running on the host (VS Code, Cursor, Windsurf, etc.) can communicate with agents inside the sandbox. This enables features like go-to-definition, diagnostics, and code actions to work across the container boundary.

The relay is automatic — when an agent starts, ExitBox detects running IDE instances and establishes a socket tunnel. No manual configuration is needed.

Full Git Support

By default, containers have no access to host git credentials. Full git support mode mounts the host .gitconfig and SSH agent into the container so git operations (clone, push, pull) work transparently with your existing configuration.

# Enable per-session:
exitbox run claude --full-git-support

# Or enable permanently in the setup wizard:
exitbox setup
# → Settings → Full Git Support

When full git support is enabled and the network firewall is active, SSH traffic (e.g., git push to GitHub) is automatically tunneled through the Squid proxy. This works even without SSH_AUTH_SOCK being set on the host.

External Tools

External tools are third-party CLI tools (Bun, GitHub CLI, etc.) that can be selected during setup. Their required packages are automatically installed at image build time.

# Configure via the setup wizard:
exitbox setup
# → Settings → External Tools → select tools

GitHub CLI Authentication

When GitHub CLI is selected as an external tool and the vault is enabled for the workspace, ExitBox provides seamless gh authentication:

Pre-flight prompt (host side): Before launching an agent, ExitBox checks whether GITHUB_TOKEN exists in the workspace vault. If missing, it offers to import it:

GitHub CLI is enabled but GITHUB_TOKEN is not in your vault.
Import it now? [y/N]: y
Enter vault password: ****
Paste your GitHub token: ****
✓ GITHUB_TOKEN stored in vault for workspace 'default'

Auto-export (container side): On container startup, the entrypoint fetches GITHUB_TOKEN from the vault via IPC (triggering an approval popup on the host), exports it as GH_TOKEN, and runs gh auth setup-git to configure git credential helpers. This means gh commands and HTTPS git operations authenticate transparently.

# Inside the container, these just work:
gh pr list
gh issue create --title "Bug report"
git push origin main   # uses gh credential helper for HTTPS

The token is never stored in the container filesystem. Every vault read triggers a host-side approval popup, giving you full control over secret access.

OpenCode Authentication

OpenCode supports OAuth login for providers like Google (Gemini). The OAuth flow starts a local callback server inside the container, and ExitBox automatically publishes the callback port (8085) to the host so the browser redirect works.

exitbox run opencode -- auth login    # starts OAuth flow, opens browser URL on host
exitbox run opencode -- auth logout   # remove stored credentials

When the firewall is active, Google OAuth domains (google.com, googleapis.com) are included in the default allowlist. If you use a provider with a different OAuth domain, add it via exitbox-allow <domain> or the -a flag.

Codex Account Switching

Codex CLI stores its login state in .codex, but ExitBox can keep multiple named Codex accounts per workspace and swap the active one without touching the rest of the workspace.

# Save the current login under a name
exitbox codex accounts save personal

# Create an empty slot for another login
exitbox codex accounts add work

# Log into that slot from your host shell
# Do not type /login inside the Codex prompt
exitbox run codex --workspace default -- login
exitbox codex accounts save work

# Switch back later
exitbox codex accounts switch personal
exitbox codex accounts list
exitbox codex accounts current

How it works:

  • The active account for a workspace stays in that workspace's normal Codex config directory.
  • Saved accounts are stored as named sidecar copies under the same workspace profile.
  • save <name> snapshots the currently active Codex login.
  • add <name> creates a new empty active slot and clears the current Codex login so you can run codex login.
  • switch <name> saves the current active login back to its named slot, then restores the requested one.
  • list shows saved accounts and whether one is current, previous, or still pending login.
  • current shows the current and previous account names recorded for that workspace.

Notes:

  • Account switching is workspace-local. personal in workspace work is separate from personal in workspace default.
  • Use --workspace <name> with any of these commands to manage accounts for a non-active workspace.
  • If the current Codex login has never been named, add or switch will ask you to save it first with exitbox codex accounts save <name>.

RTK Token Optimizer (Experimental)

rtk wraps common CLI commands to produce compact, token-optimized output — reducing agent token consumption by 60-90%. When enabled, rtk is built from source at image build time using a musl-native Rust toolchain. It adds zero image size overhead when disabled.

# Enable via the setup wizard:
exitbox setup
# → Settings → RTK → Enable

When RTK is enabled, sandbox instructions injected into the agent automatically guide it to prefix supported commands with rtk:

rtk git status         # compact git output
rtk go test ./...      # compact test results
rtk ls /workspace      # compact directory listing
rtk gh pr list         # compact GitHub CLI output
rtk grep <pattern>     # compact search results

Supported command categories: git, go, gh, grep, ls, curl, cargo, pytest, pnpm, docker, kubectl, and more. See the rtk documentation for the full list.

Agent-level management commands:

exitbox agents list            # Show enabled agents and their status
exitbox agents config claude   # Open agent config in $EDITOR

Note: RTK is experimental. If you encounter issues, disable it via exitbox setup and rebuild with exitbox run <agent> --update.

Agent Skills

Skills are reusable SKILL.md files that give agents specialized capabilities (coding conventions, deploy workflows, review checklists, etc.). ExitBox provides a universal skill installer that works across all agents. Skills are installed once per workspace and automatically linked into each agent's skill directory at container start.

# Install from a GitHub directory (fetches all files recursively)
exitbox skills install https://github.com/anthropics/skills/tree/main/skills/frontend-design

# Install from a raw URL
exitbox skills install https://example.com/path/to/SKILL.md

# Install from a local directory or file
exitbox skills install ./my-skill/
exitbox skills install ./deploy/SKILL.md

# Override the skill name
exitbox skills install https://github.com/user/repo/tree/main/skills/foo --name my-custom-name

# Install into a specific workspace
exitbox skills install ./my-skill -w work

# List and remove
exitbox skills list
exitbox skills remove frontend-design

Skills are stored at ~/.config/exitbox/profiles/global/<workspace>/skills/<name>/. On container start, ExitBox symlinks each skill into the active agent's native skill path:

| Agent | Skill path inside container

Extension points exported contracts — how you extend this code

Runtime (Interface)
Runtime is the container runtime interface. [3 implementers]
internal/container/runtime.go
Agent (Interface)
(no doc) [4 implementers]
internal/agent/agent.go
SecretProvider (FuncType)
SecretProvider is a function that returns the current map of secrets to redact.
internal/redactor/redact.go
HandlerFunc (FuncType)
64 KB HandlerFunc processes an IPC request and returns a response payload.
internal/ipc/server.go

Core symbols most depended-on inside this repo

Error
called by 150
internal/profile/manager.go
Errorf
called by 134
internal/ui/log.go
Close
called by 94
internal/vault/vault.go
Warnf
called by 79
internal/ui/log.go
Run
called by 69
internal/container/runtime.go
Successf
called by 44
internal/ui/log.go
Name
called by 42
internal/agent/agent.go
Handle
called by 41
internal/ipc/server.go

Shape

Function 791
Method 282
Struct 118
FuncType 2
Interface 2
TypeAlias 2

Languages

Go100%

Modules by API surface

internal/wizard/tui.go82 symbols
internal/container/runtime.go41 symbols
internal/vault/vault.go25 symbols
internal/vault/vault_test.go24 symbols
internal/agents/codex/accounts.go24 symbols
internal/agent/agent.go22 symbols
cmd/uninstall_test.go20 symbols
internal/session/session_test.go19 symbols
internal/ipc/protocol.go19 symbols
internal/container/mock_runtime_test.go19 symbols
cmd/run_flags_test.go19 symbols
cmd/exitbox-kv/main.go19 symbols

For agents

$ claude mcp add ExitBox \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact