Runs agentic coding assistants in docker containers
Project description
aicage
Run your favorite AI coding agents comfortably in Docker.
Why use aicage?
Agents need deep access (read code, run shells, install deps). Their built-in safety checks are naturally limited.
Running agents in containers gives a hard boundary - while the experience stays the same. See Why cage agents? for the full rationale.
Quickstart
-
Prerequisites:
- Docker
- Python 3.10+ and
pipx
-
Install:
pipx install aicage
-
Navigate to your project directory.
-
Use one of these commands:
aicage codex aicage copilot aicage gemini aicage goose aicage opencode aicage qwen
Base images
The first run asks which base image to use; pick Ubuntu or whatever matches your Linux distro.
| Base | Distro | Notes |
|---|---|---|
| ubuntu | Ubuntu | Good default for most users |
| debian | Debian | For Debian users |
| fedora | Fedora | For RedHat/Fedora users |
| alpine | Alpine | Minimal footprint; experimental |
| node | Ubuntu | Official Node image (all base images have Node) |
| act | Ubuntu | Default runner image from act (act runs GitHub Actions locally) |
All base images have the same stack of tools installed.
Agents
| CLI | Agent | Homepage |
|---|---|---|
| codex | Codex CLI | https://developers.openai.com/codex/cli |
| copilot | GitHub Copilot CLI | https://github.com/features/copilot/cli |
| gemini | Gemini CLI | https://geminicli.com |
| goose | Goose CLI | https://block.github.io/goose |
| opencode | OpenCode | https://qwenlm.github.io/qwen-code-docs |
| qwen | Qwen Code | https://opencode.ai |
Your existing CLI config for each agent is mounted inside the container so you can keep using your preferences and credentials.
aicage options
--dry-runprints the composeddocker runcommand without executing it.--aicage-entrypoint PATHmounts a custom entrypoint script to/usr/local/bin/entrypoint.sh.--dockermounts/run/docker.sockinto the container to enable Docker-in-Docker workflows.--config printprints the project config path and its contents.
Configuration file formats are documented in CONFIG.md. Extension authoring is documented in doc/extensions.md.
Why cage agents?
AI coding agents read your code, run shells, install packages, and edit files. That power is useful, but granting it directly on the host expands your risk surface.
Where built-in safety is limited:
- Allow/deny lists only cover known patterns; unexpected commands or attack paths can slip through.
- Some agents work fully only after relaxing their own safety modes, broadening what they can touch.
- “Read-only project” features are software rules. Other projects and files still sit alongside them on the same host.
How aicage mitigates this:
- Containers create a hard boundary: the agent can access only what you explicitly mount. Day-to-day use stays familiar—just with the host kept out of reach.
Development info
More details are in DEVELOPMENT.md.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file aicage-0.8.12.tar.gz.
File metadata
- Download URL: aicage-0.8.12.tar.gz
- Upload date:
- Size: 42.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
218061413e0a04c5dde5304579c19201b19766af2599f84f388a032ad2cf8c61
|
|
| MD5 |
78971e86a9d4b0806e7e44b03b1f609e
|
|
| BLAKE2b-256 |
d3bef953d972ecb8aad9f7f7c86137847410180782c421192a7a584ce2ee4383
|
Provenance
The following attestation bundles were made for aicage-0.8.12.tar.gz:
Publisher:
publish.yml on aicage/aicage
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
aicage-0.8.12.tar.gz -
Subject digest:
218061413e0a04c5dde5304579c19201b19766af2599f84f388a032ad2cf8c61 - Sigstore transparency entry: 820993547
- Sigstore integration time:
-
Permalink:
aicage/aicage@405b7042283369b16d725d45b407e2024db75276 -
Branch / Tag:
refs/tags/0.8.12 - Owner: https://github.com/aicage
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@405b7042283369b16d725d45b407e2024db75276 -
Trigger Event:
push
-
Statement type:
File details
Details for the file aicage-0.8.12-py3-none-any.whl.
File metadata
- Download URL: aicage-0.8.12-py3-none-any.whl
- Upload date:
- Size: 95.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7d80eff5e8723f0d286b4c88ab425c904e1df75266b1b50e5666124c18ae26e6
|
|
| MD5 |
2d89209c7a0281ad49b6d8eabf2aefe0
|
|
| BLAKE2b-256 |
4d4f325c5a6c2e1c9c06a7c90ded2a7da1a09fc5e056305b7ecc46b355f3bf53
|
Provenance
The following attestation bundles were made for aicage-0.8.12-py3-none-any.whl:
Publisher:
publish.yml on aicage/aicage
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
aicage-0.8.12-py3-none-any.whl -
Subject digest:
7d80eff5e8723f0d286b4c88ab425c904e1df75266b1b50e5666124c18ae26e6 - Sigstore transparency entry: 820993555
- Sigstore integration time:
-
Permalink:
aicage/aicage@405b7042283369b16d725d45b407e2024db75276 -
Branch / Tag:
refs/tags/0.8.12 - Owner: https://github.com/aicage
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@405b7042283369b16d725d45b407e2024db75276 -
Trigger Event:
push
-
Statement type:
