nixcage creates per-project sandboxes that activate automatically when you cd into a directory (via direnv). It uses bubblewrap on Linux and sandbox-exec on macOS — no VMs, no Docker, no overhead.
Three isolation levels: strict (no network, empty home), standard (project writable, network on), and relaxed (home readable, project writable).
It also controls Nix store access (shared, readonly, copy, or fully isolated) so sandboxed tools can't pollute your host store.
Quick start: nixcage init --preset claude-code && direnv allow
A debug mode captures every blocked syscall so you can see exactly what's denied and tune your config.