With tools like Claude Code, Cursor, and Aider running autonomously, we are heavily relying on application-level permission systems (like .claudeignore or permissions.deny) to protect our local environments. From a threat-modeling perspective, these are bypassable and don't provide a real security boundary, especially for GDPR/ISO regulated environments.
To fix this, I built aigate in Go. It acts like a Python venv, but for AI permissions. Instead of trusting the AI tool to respect a config file, it uses the OS kernel as the trust boundary.
How it works under the hood:
- File Isolation: POSIX ACLs (Linux) and macOS ACLs to hard-deny read access to secrets (e.g., .env, ~/.ssh).
- Process Isolation: Mount namespaces to overmount sensitive directories (Linux).
- Network Isolation: Network namespaces to restrict egress solely to whitelisted APIs.
- Resource Limits: cgroups v2 enforce memory, CPU, and PID limits so a hallucinated script can't brick your machine.
The DevEx is meant to be dead simple. You set the rules (e.g., aigate deny read .env secrets/) and then run the tool inside it (e.g., aigate run -- claude). If the agent attempts to read a blocked file or execute a blocked command, the kernel rejects the syscall.
It supports Linux, macOS, and WSL, and uses a .aigate.yaml file so you can track AI boundaries in git alongside your project.
With tools like Claude Code, Cursor, and Aider running autonomously, we are heavily relying on application-level permission systems (like .claudeignore or permissions.deny) to protect our local environments. From a threat-modeling perspective, these are bypassable and don't provide a real security boundary, especially for GDPR/ISO regulated environments.
To fix this, I built aigate in Go. It acts like a Python venv, but for AI permissions. Instead of trusting the AI tool to respect a config file, it uses the OS kernel as the trust boundary.
How it works under the hood:
- File Isolation: POSIX ACLs (Linux) and macOS ACLs to hard-deny read access to secrets (e.g., .env, ~/.ssh). - Process Isolation: Mount namespaces to overmount sensitive directories (Linux). - Network Isolation: Network namespaces to restrict egress solely to whitelisted APIs. - Resource Limits: cgroups v2 enforce memory, CPU, and PID limits so a hallucinated script can't brick your machine.
The DevEx is meant to be dead simple. You set the rules (e.g., aigate deny read .env secrets/) and then run the tool inside it (e.g., aigate run -- claude). If the agent attempts to read a blocked file or execute a blocked command, the kernel rejects the syscall.
It supports Linux, macOS, and WSL, and uses a .aigate.yaml file so you can track AI boundaries in git alongside your project.
Repo: https://github.com/AxeForging/aigate