With tools like Claude Code, Cursor, and Aider running autonomously, we are heavily relying on application-level permission systems (like .claudeignore or permissions.deny) to protect our local environments. From a threat-modeling perspective, these are bypassable and don't provide a real security boundary, especially for GDPR/ISO regulated environments.
To fix this, I built aigate in Go. It acts like a Python venv, but for AI permissions. Instead of trusting the AI tool to respect a config file, it uses the OS kernel as the trust boundary.
How it works under the hood:
- File Isolation: POSIX ACLs (Linux) and macOS ACLs to hard-deny read access to secrets (e.g., .env, ~/.ssh).
- Process Isolation: Mount namespaces to overmount sensitive directories (Linux).
- Network Isolation: Network namespaces to restrict egress solely to whitelisted APIs.
- Resource Limits: cgroups v2 enforce memory, CPU, and PID limits so a hallucinated script can't brick your machine.
The DevEx is meant to be dead simple. You set the rules (e.g., aigate deny read .env secrets/) and then run the tool inside it (e.g., aigate run -- claude). If the agent attempts to read a blocked file or execute a blocked command, the kernel rejects the syscall.
It supports Linux, macOS, and WSL, and uses a .aigate.yaml file so you can track AI boundaries in git alongside your project.
oldestaxe•4h ago
With tools like Claude Code, Cursor, and Aider running autonomously, we are heavily relying on application-level permission systems (like .claudeignore or permissions.deny) to protect our local environments. From a threat-modeling perspective, these are bypassable and don't provide a real security boundary, especially for GDPR/ISO regulated environments.
To fix this, I built aigate in Go. It acts like a Python venv, but for AI permissions. Instead of trusting the AI tool to respect a config file, it uses the OS kernel as the trust boundary.
How it works under the hood:
- File Isolation: POSIX ACLs (Linux) and macOS ACLs to hard-deny read access to secrets (e.g., .env, ~/.ssh). - Process Isolation: Mount namespaces to overmount sensitive directories (Linux). - Network Isolation: Network namespaces to restrict egress solely to whitelisted APIs. - Resource Limits: cgroups v2 enforce memory, CPU, and PID limits so a hallucinated script can't brick your machine.
The DevEx is meant to be dead simple. You set the rules (e.g., aigate deny read .env secrets/) and then run the tool inside it (e.g., aigate run -- claude). If the agent attempts to read a blocked file or execute a blocked command, the kernel rejects the syscall.
It supports Linux, macOS, and WSL, and uses a .aigate.yaml file so you can track AI boundaries in git alongside your project.
Repo: https://github.com/AxeForging/aigate