jai is a lightweight Linux sandbox from Stanford's Secure Computer Systems group, designed to reduce the blast radius of AI agents without the overhead of containers or VMs. One command, no images, no Dockerfiles — just a copy-on-write boundary around your working directory.
Why It's in Assess
Fills the gap between "trust everything" and "build a container": Most developers running coding agents today give them full access to their home directory. jai provides a middle ground — the working directory gets full access, the rest of $HOME is behind a copy-on-write overlay or hidden entirely.
Zero-friction adoption: No root required, no Dockerfiles, no images to build. A single command wraps your existing workflow. This removes the primary friction that prevents developers from sandboxing agent sessions at all.
Honest threat model: jai describes itself as a "casual sandbox" — it reduces blast radius but does not claim to eliminate all attack vectors. This is the right framing for local development use.
Stanford pedigree: From the Secure Computer Systems group and Future of Digital Currency Initiative — credible security research backing.
Still early: New project, Linux-only, limited documentation. Assess — worth evaluating alongside landrun and native agent sandboxing (Codex's Landlock, Claude Code's seccomp BPF) to see where it fits in your workflow.
How It Works
jai gives your working directory full access and keeps the rest of your home behind a copy-on-write overlay — or hidden entirely. Changes outside the working directory are captured in the overlay and discarded when the session ends, preventing agents from making persistent modifications to your system.
