Cage: Run AI Coding Agents Without Fear
AI coding agents like Claude Code and Codex are becoming indespensable — but to unlock their full potential, you need to give them --dangerously-skip-permissions. That flag is named the way it is for a reason. An agent with unrestricted shell access on your host machine can rm -rf your home directory, overwrite your SSH keys, or trash your global git config. It probably won’t. But probably isn’t great when the downside is catastrophic.
I wanted a way to let agents run unrestricted without any of that risk. Cage enables that.
What It Does
Cage wraps Docker (or Colima or Podman) to create isolated containers for each project. Your project directory is mounted read-write at the same absolute path as on the host — so error messages, file references, and tooling all just work. Everything else is sandboxed.
brew install pacificsky/cage
cd ~/src/my-project
cage start
claude --dangerously-skip-permissions
That’s it. Run cage start again from the same directory and it re-attaches to the existing container. Run cage shell in another terminal to open a second shell while an agent is working. Port forwarding for web apps is a flag away:
cage start -p 3000:3000 -p 5432:5432
How It Works
Each project gets a deterministic container name — cage-<dirname>-<8char-sha256> — derived from the absolute path. No collisions, no guessing, no state files.
Three mounts make it feel like you never left your host:
| Host | Container | Purpose |
|---|---|---|
| Project directory | Same absolute path | Code editing with matching error paths |
cage-home (Docker volume) | /home/vscode | Shared home across all cages |
| SSH agent socket | Forwarded | Git push/pull just works |
The shared home volume is the key ergonomic decision. Claude credentials, git config, shell history, API keys — configure them once and every cage container picks them up. No per-project credential dance.
Why This Is Safe
The safety model is simple: the agent can do whatever it wants inside the container, but the only piece of your host it can touch is the project directory you explicitly mounted. There’s no access to your home directory, no way to install global packages, no ability to modify system files or other projects.
If an agent goes off the rails — runs a destructive command, corrupts its environment, installs something bizarre — the blast radius is contained. Run cage restart and you’re back to a clean container in seconds, with your project files and shared home volume untouched.
Your host system never sees --dangerously-skip-permissions. The agent runs unrestricted inside a throwaway container. That’s the whole idea.
Design Decisions
Same-path mounts. Most container tools mount your project at /workspace or /app. That means every file path in every error message is wrong. When an agent says “see line 42 of /Users/you/src/project/foo.py”, that path should actually exist. Cage mounts at the original absolute path so everything matches.
Seed directory. ~/.config/cage/home/ contents are copied into the shared home volume with cp -n (no-clobber) on every new container. Drop your .zshrc, .gitconfig, or Claude settings in there once. Existing files in the volume are never overwritten — your running config is always preserved.
Environment file hierarchy. Global env vars go in ~/.config/cage/env, per-project overrides go in .cage.env. Both are optional, both use Docker’s native env-file format. API keys, database URLs, feature flags — injected at container creation without baking them into images.
SSH agent forwarding. On macOS, host sockets can’t be bind-mounted across the VM boundary. Cage detects whether you’re running Docker Desktop or Colima and uses the appropriate VM-internal proxy socket. On Linux, it bind-mounts the host socket directly. If you’re on Colima without --ssh-agent enabled, Cage warns you instead of silently failing.
Runtime detection. Cage prefers docker but falls back to podman automatically. The entire tool is a single bash script — no dependencies beyond a container runtime.
What It’s Not
Cage isn’t a devcontainer manager or a cloud development environment. It doesn’t try to define your toolchain, install language runtimes, or manage VS Code extensions. It’s a thin isolation layer: put an agent in a box, mount your code, get out of the way.
The source is on GitHub and MIT licensed. If you’re running coding agents on your machine and want to stop worrying about what they might do, give it a try.