AI - Tool/Agent isolation
Project description
AI-Container
Podman based container for isolating AI tooling for a individual project.
Context
In the past, I have repeatedly observed and experienced coding agents accessing or using files and content which they either weren't supposed to, or even technically "did not have access to."
On one occasion, for example, file access was explicitly restricted (e.g., the path was blocked). However, the agent exploited its ability to run bash commands, using them to traverse and scan the restricted paths instead of relying on standard read/write methods.
For this reason, I believe it is essential to implement clear restrictions or a contextual sandbox that is shared with the AI, and which it cannot as easily circumvent by simply invoking a different command.
Prerequisites
- Podman (>= 4.0) - Container runtime. Install
- Python (>= 3.13) - Required for the CLI. Install
- uv - Used to install and run the CLI. Install
Image builds and volume creation are performed through the Podman Python SDK, which talks to the Podman service socket. Make sure the socket is running:
Installation
Install the ai-container package:
uv tool install ai-container
Or from source:
git clone https://github.com/yourusername/ai-container.git
cd ai-container
uv tool install .
The ai command will then be available.
Usage
Basic Commands
ai agent pi /path/to/project # Run PI coding agent
ai agent opc /path/to/project # Run OpenCode coding agent
ai agent aic /path/to/project # Run aichat
ai agent llm /path/to/project # Run llm
ai shell /path/to/project # Interactive shell in container
ai agent <tool> <path> [args] is the single entry point for every tool.
Valid tools: pi, opc, aic, llm.
Pass additional arguments directly to the tool:
ai agent pi /path/to/project --verbose --model claude-3-sonnet
Rebuilding the Container Image
The container image is built automatically on first use via the Podman SDK.
When you want to pull in the latest tool versions, force a rebuild with the
image rebuild command:
ai image rebuild
Custom Environments
Need a specific toolchain (Rust, Go, an extra editor, ...)? Define a custom
environment: a thin image built FROM aic:base that adds your tooling on top
of everything the base image already provides.
Select an environment for any command with -e/--env:
ai -e rust shell . # shell in the rust environment
ai -e rust agent pi . # run pi in the rust environment
ai -e rust image rebuild # (re)build the rust image (FROM aic:base)
Manage environment definitions with the env group:
ai env list # show environments and whether images are built
ai env new rust # scaffold a Containerfile (FROM aic:base)
ai env new rust --edit # scaffold and open it in $EDITOR
ai env edit rust # edit the Containerfile
ai env path rust # print the Containerfile path
ai env remove rust --purge # delete the definition (and its image)
Definitions live under ~/.config/ai-container/environments/<name>/
(honoring XDG_CONFIG_HOME). The directory is also the build context, so you
can COPY local files into your image. A scaffolded Containerfile looks like:
# rust environment -- extends the ai-container base image.
FROM aic:base
RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \
| sh -s -- -y --default-toolchain stable
ENV PATH="/root/.cargo/bin:${PATH}"
WORKDIR /workspace
Without -e, the default base environment is used. Persistence volumes
(config, state, share, pi-config, claude) are shared across all
environments, so credentials and config are entered once and work everywhere.
Config Files
Defaults for the global flags (-e/--env, --log-level, --dryrun) can be set
in a TOML config file, so you don't have to repeat them on every invocation.
Files are merged from several sources, highest precedence first:
./.ai-container.toml— project-local, in the current working directory~/.config/ai-container/config.toml— user config (honorsXDG_CONFIG_HOME)~/.ai-container.toml— home dotfile- Built-in defaults
Command-line flags always override config files. Each layer only needs to set the keys it cares about; the rest fall through to the next layer.
# .ai-container.toml
env = "rust" # default environment
log_level = "DEBUG" # one of: DEBUG, INFO, WARNING, ERROR, CRITICAL
dryrun = false
Provided Tools
- PI - Coding agent for generation, analysis, and refactoring
- OpenCode - AI-powered coding assistant
- aichat - Interactive AI chat interface
- llm - Command-line tool for LLM interaction
Configuration & Persistence
First run: The container image is built (one-time, takes a few minutes).
Tools use their standard configuration methods (within the container):
- aichat:
~/.config/aichat/config.toml - llm:
~/.config/llm/+ environment variables - PI:
~/.pi/ - OpenCode:
~/.config/opencode/
Configuration persists automatically across all runs and containers through named Podman volumes (config, state, share, pi-config). Configure once, use everywhere:
# First run: setup credentials
ai shell /path/to/project
# Inside container: aichat, llm keys set openai <key>, etc.
# Subsequent runs: credentials available automatically
ai agent pi /path/to/project
Other/Previous Work
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ai_container-0.14.0.tar.gz.
File metadata
- Download URL: ai_container-0.14.0.tar.gz
- Upload date:
- Size: 27.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.21 {"installer":{"name":"uv","version":"0.11.21","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4de4a68813e7a50de54a0c305477338b7d3fa4b64a10391ef2c69586ad551bb2
|
|
| MD5 |
b1e256d45df59bbd0599031d8440639f
|
|
| BLAKE2b-256 |
07b43f7abf59551c8a53e8fe3670d0d70dc9cf358f9979740316ba4456a86022
|
File details
Details for the file ai_container-0.14.0-py3-none-any.whl.
File metadata
- Download URL: ai_container-0.14.0-py3-none-any.whl
- Upload date:
- Size: 13.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.21 {"installer":{"name":"uv","version":"0.11.21","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
08ed7102089c7eb0cc983ef5599f78fa25e65598fb4fde3c23dc16ea23fe1f9f
|
|
| MD5 |
2525dff03eaaef46fd3cab85987ed7eb
|
|
| BLAKE2b-256 |
f15f7fbebe7bdda56f4ed09fa80aec3a681609954486b6832b557520e1dd80bf
|