← Back to research
·8 min read·tool

shai

shai is an open-source Go CLI by Colony-2 that sandboxes AI coding agents in restrictive-by-default containers — read-only mounts, allowlisted network, and context-dependent resource sets that give agents only what they need.

https://github.com/colony-2/shai
profilesandboxescoding-agentsopen-sourcedockersecurity

Key takeaways

  • Restrictive by default — agents get read-only access with opt-in write permissions per subdirectory, flipping the typical 'permissive container' model
  • Resource Sets enable context-dependent access control — different parts of a codebase can expose different network destinations, env vars, and host mounts
  • Team-friendly config via .shai/config.yaml committed to the repo — security policy travels with the code, not the developer
  • Supports all major AI coding agents (Claude Code, Codex, Gemini CLI, Cline, OpenHands) with a philosophy of 'cellular software development'

FAQ

What is shai?

shai is an open-source CLI tool that runs AI coding agents inside Docker containers with restrictive-by-default isolation — read-only source mounts, allowlisted network access, and context-dependent resource sets that constrain what each agent can reach.

How does shai differ from yolobox?

yolobox gives agents full sudo inside a container with minimal restrictions. shai takes the opposite approach: everything is locked down by default, and you explicitly opt in to write access, network destinations, and environment variables per context.

How much does shai cost?

Free and open source under the MIT license. You bring your own API keys and Docker runtime.

What is a Resource Set in shai?

A named collection of allowed HTTP destinations, host mounts, IP ports, environment variables, and remote calls. Resource Sets let you define context-dependent access — a frontend component might get npm registry access while a backend service gets database credentials.

What AI coding agents does shai support?

Claude Code, OpenAI Codex, Gemini CLI, Cline, and OpenHands. Any agent that runs in a terminal can be wrapped.

Overview

shai is an open-source CLI tool written in Go that sandboxes AI coding agents inside Docker containers with a restrictive-by-default security model. Where most agent sandboxes focus on keeping agents from destroying your home directory (the yolobox approach), shai starts from the opposite premise: agents get the minimum access necessary, and everything else is denied.

The project comes from Colony-2 and embodies a philosophy they call "cellular software development" — the idea that AI agents should get constrained access to individual components of a codebase, not carte blanche to the entire repo. It's a fundamentally different bet: that security-conscious teams will trade some setup friction for granular control over what their agents can read, write, and reach.

AttributeValue
MaintainerColony-2
CreatedNovember 19, 2025
LanguageGo
LicenseMIT
Websiteshai.run
GitHub Stars40 (as of June 2026)
Latest Releasev0.0.11 (June 1, 2026)
Installnpm install -g @colony2/shai or brew install --cask colony-2/tap/shai

Status (as of June 11, 2026): Alive but quiet. The repo is not archived and was last pushed June 1, 2026, but development has slowed to roughly one small release per month since this profile was first written — v0.0.8 through v0.0.11 (April–June 2026) consist mostly of additions to the bundled shai-mega image (uvx, wrangler, kubectl tooling) and a base-image pin. Stars have moved from ~39 to 40 in nearly three months, and the npm package saw 455 downloads in the month ending June 2, 2026. Pricing is unchanged: free, MIT-licensed, bring your own API keys and Docker runtime.

How It Works

When you run shai from a project directory, it builds or pulls a container image, mounts your source code as read-only, and drops you (or your agent) into a non-root shell inside the container.

The key workflow:

  1. Read-only by default — Your project is mounted at /src as a read-only filesystem. The agent can read everything but write nothing.
  2. Opt-in write access — Use the -rw flag to grant writable overlays for specific subdirectories (e.g., shai -rw src/components). Only those paths become writable.
  3. Apply rules — shai can auto-select resource sets, container images, and platforms based on the target path, so different parts of your monorepo get different security contexts.
  4. Agent runs inside — Claude Code, Codex, Gemini CLI, Cline, or OpenHands runs inside the container with whatever permissions you've explicitly granted.

shai ships two container images: shai-base (minimal, fast) and shai-mega (batteries-included with common runtimes and tools pre-installed).

Resource Sets

Resource Sets are shai's core abstraction for access control. A Resource Set is a named collection that defines:

  • HTTP destinations — Allowlisted URLs the agent can reach (e.g., registry.npmjs.org, api.openai.com)
  • Host mounts — Additional directories from the host that get mounted into the container
  • IP ports — Which ports the container can bind or connect to
  • Environment variables — Which env vars get passed through to the agent
  • Remote calls — Allowed outbound API endpoints

Resource Sets are defined in .shai/config.yaml and committed to the repository. This means security policy travels with the code — when a new developer clones the repo, they get the same access constraints as everyone else. No per-developer configuration drift.

The power is in composition: different parts of a codebase can reference different Resource Sets. A frontend component might get access to the npm registry and a CDN, while a backend service gets database credentials and internal API endpoints. Apply rules handle the mapping automatically based on file paths.

Security Model

shai's security model is defense-in-depth with multiple layers:

Filesystem Isolation

  • Source code mounted read-only at /src
  • Writable overlays only for explicitly -rw flagged paths
  • Agent cannot modify files outside granted write paths

Network Restriction

  • All network traffic is blocked by default
  • Only allowlisted HTTP/HTTPS destinations (defined in Resource Sets) can be reached
  • No arbitrary outbound connections — prevents data exfiltration to unexpected endpoints

Container Hardening

  • Runs as a non-root user inside the container
  • Standard Docker/OCI container isolation (namespaces, cgroups)
  • No host network access; privileged mode is off by default but can now be opted into via a --privileged flag or per-resource-set setting, and resource sets can define optional root commands that run before the user switch

Team Configuration

  • .shai/config.yaml is version-controlled and shared
  • Security policy is code-reviewed alongside application code
  • No individual developer can silently weaken constraints

This is meaningfully more restrictive than competitors like yolobox (full sudo, no network filtering) or even yolo-cage (network filtering but permissive filesystem).

Strengths

  • Principle of least privilege, actually applied — Most agent sandboxes protect against catastrophic mistakes (rm -rf). shai goes further by constraining what agents can access in normal operation. Read-only defaults with opt-in writes is how production systems work; it's unusual to see it in developer tooling.

  • Resource Sets are a genuinely novel abstraction — Context-dependent access control for AI agents is an unsolved problem. shai's approach of named, composable permission bundles that auto-select based on file paths is thoughtful and team-friendly.

  • Config-as-code.shai/config.yaml living in the repo means security policy gets code review, version history, and team consistency. This is the right pattern for enterprise adoption.

  • Agent-agnostic — Supporting Claude Code, Codex, Gemini CLI, Cline, and OpenHands means teams aren't locked into one agent. The sandbox is orthogonal to the agent choice.

Weaknesses

  • Early and small, and traction has stalled — 40 stars and 4 forks as of June 2026, essentially unchanged since March. The project is over six months old, npm downloads run in the low hundreds per month, and commit activity has slowed to small monthly maintenance releases. Bus factor risk is real.

  • Setup friction vs. competitors — yolobox is one command. shai requires understanding Resource Sets, configuring .shai/config.yaml, and thinking about which paths need write access. Teams that just want "run my agent safely" may find it over-engineered.

  • "Cellular software development" is unproven — The philosophy of giving agents access to individual components rather than whole repos sounds principled, but it's unclear how well this maps to real agent workflows. Many coding agents need broad context to make good decisions.

  • Network allowlisting maintenance burden — As projects add dependencies and integrations, keeping HTTP allowlists current becomes ongoing work. A missed allowlist entry means a broken agent session, which is worse UX than permissive defaults.

  • Docker dependency — Like most tools in this space, shai requires Docker. No native macOS container support yet (unlike yolobox's Apple Containers support).

What Developers Say

Verbatim developer commentary on shai remains scarce as of June 2026 — the project has not had its own Hacker News or Reddit moment. The clearest endorsement comes from the yolobox launch thread, where commenter LayeredDelay recommended it as an alternative: "Checkout https://github.com/colony-2/shai It runs locally. You can control which directories it has read / write access. You can control network traffic too." Beyond that, shai appears in community-compiled lists of sandboxing projects rather than in firsthand usage reports, which is consistent with its early adoption numbers.

Bottom Line

Recommended for security-sensitive teams and monorepos with varied access requirements who found yolobox too permissive — the Resource Sets abstraction and config-as-code policy in .shai/config.yaml remain genuinely differentiated, and the project is still maintained (last push June 1, 2026). Not recommended as a bet on a thriving ecosystem: 40 stars, 4 forks, and ~455 monthly npm downloads after six-plus months means you're adopting a tool with real abandonment risk, and recent releases are maintenance-grade (image tooling additions) rather than feature work. Outlook: uncertain — shai represents the security-maximalist position in agent sandboxing, solving a problem ("which files and APIs should the agent reach?") that most developers don't yet feel; the philosophy is probably right about the future, but traction since March suggests shai may not be the project that gets to prove it.

Sources

Share on XShare on LinkedIn