Skip to content

google/capsem

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

264 Commits
.agents
.agents
 
 
.claude
.claude
 
 
.config
.config
 
 
.github/workflows
.github/workflows
 
 
config
config
 
 
crates
crates
 
 
data
data
 
 
frontend
frontend
 
 
guest
guest
 
 
scripts
scripts
 
 
site
site
 
 
skills
skills
 
 
src/capsem
src/capsem
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
CITATION.cff
CITATION.cff
 
 
CLAUDE.md
CLAUDE.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
Cargo.toml
Cargo.toml
 
 
GEMINI.md
GEMINI.md
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
audit.toml
audit.toml
 
 
boot.log
boot.log
 
 
codecov.yml
codecov.yml
 
 
entitlements.plist
entitlements.plist
 
 
justfile
justfile
 
 
pyproject.toml
pyproject.toml
 
 
test-dev-null.sh
test-dev-null.sh
 
 
uv.lock
uv.lock
 
 

Repository files navigation

Capsem

Capsem

Sandbox AI coding agents in hardware-isolated Linux VMs on macOS and Linux.
Full network control, HTTPS inspection, MCP tool routing, and per-session telemetry.

Latest Release Coverage CI License

Disclaimer: This project is not an official Google project. It is not supported by Google and Google specifically disclaims all warranties as to its quality, merchantability, or fitness for a particular purpose.

Features

  • Hardware VM isolation -- Each agent runs in its own VM via Apple Virtualization.framework (macOS) or KVM (Linux). Stage 2 page tables, no shared memory, no container escapes.
  • Air-gapped networking -- No NIC exists in the VM. All HTTPS traffic is intercepted by a transparent MITM proxy with per-domain allow/block policy and full request/response telemetry.
  • Hardened kernel -- Custom-compiled Linux kernel: no loadable modules, no IP stack, KASLR, stack protector, FORTIFY_SOURCE. 7MB vs 30MB stock Debian.
  • HTTPS inspection -- TLS termination with per-domain minted certificates. Every API call is logged: provider, model, tokens, cost, tool calls, trace linking.
  • MCP tool gateway -- Routes MCP tool calls from AI agents through a policy engine. Built-in tools (fetch_http, grep_http, http_headers) and external MCP server passthrough.
  • Workspace snapshots -- Rolling auto-snapshots via APFS clonefile. Create, list, diff, revert, compact snapshots from MCP tools or the in-VM snapshots CLI.
  • Per-session telemetry -- SQLite database per session: network events, model calls (with token counts and cost), tool calls, MCP calls, file events. Queryable from the UI.
  • Security presets -- Medium/High security profiles. Corporate lockdown via /etc/capsem/corp.toml (MDM-distributed). Per-domain HTTP method+path rules.
  • AI agent support -- Claude Code, Gemini CLI, and Codex run in yolo mode by default. The VM is the security boundary, not the agent's permission system.
  • Boot in ~2 seconds -- Squashfs rootfs + VirtioFS overlay + initrd-bundled agent binaries. No disk formatting, no package installs.

How it works

sequenceDiagram
    participant D as Developer
    participant C as Capsem (macOS)
    participant VM as Linux VM

    D->>C: capsem run "task"
    C->>VM: Boot VM (Virtualization.framework)
    C->>VM: vsock:5001 terminal I/O
    C->>VM: vsock:5002 HTTPS MITM proxy
    C->>VM: vsock:5003 MCP gateway

    Note over VM: AI agent runs in sandbox

    VM->>C: HTTPS requests (intercepted)
    C->>C: Inspect, log, apply policy
    C-->>VM: Forward to upstream (if allowed)

    VM->>C: MCP tool calls
    C->>C: Policy check + route
    C-->>VM: Tool results

    C->>C: Auto-snapshot workspace (APFS clonefile)
    C->>C: Record telemetry to session.db

    VM->>C: Terminal output (vsock:5001)
    C->>D: Display in UI / terminal
Loading
  1. Capsem boots a Linux VM with a hardened kernel and read-only rootfs
  2. The AI agent (Claude, Gemini, Codex) starts in /root with full filesystem access
  3. All HTTPS traffic is intercepted -- API calls are parsed for model, tokens, cost, and tool usage
  4. MCP tool calls are routed through a policy engine with built-in and external tool support
  5. Workspace snapshots are taken automatically every 5 minutes (APFS clonefile, zero-copy)
  6. The session database records everything for the telemetry UI

Install

macOS

Download the DMG from the latest release, open it, and drag Capsem.app to Applications.

Or with Homebrew (coming soon):

brew install --cask capsem

Requires macOS 13+ on Apple Silicon.

Linux

Download the .deb or .AppImage from the latest release.

# Debian/Ubuntu
sudo dpkg -i capsem_*.deb

# Or run directly
chmod +x Capsem*.AppImage && ./Capsem*.AppImage

Requires Linux kernel 5.x+ with KVM support (/dev/kvm).

Build from source

Prerequisites: Rust (stable), just, Node.js 24+, pnpm, Python 3.11+, uv, and Docker or Podman (4GB+ RAM). See the Development Guide for detailed setup instructions.

bash scripts/bootstrap.sh  # check tools + install deps (first time)
just build-assets          # build VM assets (~10 min, first time only)
just run "echo hello"      # verify everything works

Or step by step:

just doctor          # check prerequisites
just build-assets    # build VM assets (~10 min, first time only)
just install         # test + build + codesign + install

Usage

GUI

open /Applications/Capsem.app

CLI

capsem uname -a
capsem echo hello
capsem 'ls -la /proc/cpuinfo'

Architecture

crates/capsem-core/    VM library (config, boot, vsock, MITM proxy, MCP gateway, hypervisor)
crates/capsem-app/     Tauri binary (GUI, CLI, IPC commands)
crates/capsem-agent/   Guest binaries (PTY agent, net proxy, MCP relay)
crates/capsem-logger/  Telemetry DB (writer, reader, schema)
crates/capsem-proto/   Wire protocol (vsock message encoding)
frontend/              Astro 5 + Svelte 5 + Tailwind v4 + DaisyUI v5
src/capsem/builder/    capsem-builder CLI (config-driven image builder)
guest/config/          Guest image configuration (TOML configs)
guest/artifacts/       Guest scripts and diagnostics (capsem-init, tests)

Development

just dev             # hot-reloading Tauri app (frontend + Rust)
just ui              # frontend-only dev server (mock mode, no VM)
just run             # cross-compile + repack + build + sign + boot (~10s)
just test            # unit tests + cross-compile + frontend check
just full-test       # test + capsem-doctor + integration + bench

See just --list for all targets.

Testing

Layer Command What it tests
Unit cargo test --workspace 1,500+ Rust tests across all crates
Frontend cd frontend && pnpm run test Svelte component + store tests
In-VM just run "capsem-doctor" 284 sandbox/network/runtime diagnostics inside the VM
Integration just full-test End-to-end: boot VM, exercise all telemetry pipelines, verify DBs

Security

Capsem assumes the AI agent is adversarial. The sandbox is hardened at every layer:

Layer Protection
Hardware Apple Silicon Stage 2 page tables (macOS) / KVM with VT-x (Linux), no shared memory
Kernel Custom-compiled, CONFIG_MODULES=n, CONFIG_INET=n, KASLR
Network No NIC. DNS/HTTP/IP physically impossible. MITM proxy on vsock only.
Filesystem Read-only squashfs rootfs. Only /root, /tmp, /run writable.
Boot integrity BLAKE3 hashes of kernel/initrd/rootfs compiled into the binary
Processes PID 1 is our init. No systemd, no cron, no sshd.
Agent binaries Deployed read-only (chmod 555), verified at boot

Full threat model: Security Overview

Tech stack

Documentation

Full documentation at capsem.org.

Disclaimer

This project is not an official Google project. It is not supported by Google and Google specifically disclaims all warranties as to its quality, merchantability, or fitness for a particular purpose.

License

See LICENSE.

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

22 stars

Watchers

0 watching

Forks

2 forks
Report repository

Releases 1

Capsem v0.12.1 Latest
Mar 25, 2026

Packages

 
 
 

Contributors

Languages