coi
A security-hardened container runtime for AI coding agents using Incus system containers with real-time threat detection and credential isolation.
What is coi?
Code on Incus is a security-hardened container runtime that allows developers to run AI coding assistants like Claude Code and opencode in isolated Incus system containers. It solves the security risks of running AI tools directly on a host by providing credential isolation, real-time threat detection, and network security while maintaining full functionality for the AI agents.
Developers and security-conscious teams who use AI coding assistants and need to protect their host systems from potential threats like credential exposure, reverse shells, and data exfiltration.
Developers choose Code on Incus because it offers superior security compared to Docker or bare-metal execution, with built-in real-time threat detection, automated response mechanisms, and true credential isolation—all while providing a seamless experience for AI-assisted coding.
Overview
Give each AI agent its own isolated machine with root, Docker, and systemd. Active defense detects and stops threats automatically..
Use Cases
Best For
- Running AI coding assistants in isolated environments with full security controls
- Teams requiring compliance and audit logging for AI tool usage
- Preventing credential exposure when using AI tools with Git and SSH
- Containing potential malware or malicious code executed by AI agents
- Parallel AI coding sessions on the same project with complete isolation
- Security research and testing of AI coding agent behaviors in a safe sandbox
Not Ideal For
- Casual users who run AI tools infrequently and prioritize zero-configuration simplicity over security
- Teams operating exclusively on Windows without WSL2 or macOS unwilling to set up Colima/Lima VMs
- Organizations deeply integrated with Docker workflows and resistant to adopting Incus
Pros & Cons
Pros
SSH keys, environment variables, and Git credentials are never exposed to AI tools unless explicitly mounted, preventing accidental leaks as highlighted in the README's security features.
Kernel-level monitoring with nftables detects reverse shells and data exfiltration, automatically pausing or killing containers—no manual intervention needed, per the security monitoring section.
Supports resuming AI conversations with full history and credentials restored, and offers workspace-scoped session management for continuous workflow.
Features like SSH agent forwarding and automatic UID mapping allow secure access to host resources while maintaining isolation, eliminating permission issues.
Cons
Requires Incus installation and user permissions (incus-admin group), adding initial overhead compared to simpler tools like Docker, as noted in the installation guide.
Currently only natively supports Claude Code and opencode, with popular tools like Aider and Cursor listed as 'coming soon', limiting immediate adoption.
On macOS, it requires Colima or Lima VMs for Incus support, and Windows is limited to WSL2, adding complexity for cross-platform teams.
Open Source Alternative To
coi is an open-source alternative to the following products:
Frequently Asked Questions
Related Projects
InkOSAutonomous novel writing AI Agent — agents write, audit, and revise novels with human review gates
agent-deckTerminal session manager for AI coding agents. One TUI for Claude, Gemini, OpenCode, Codex, and more.
agent-of-empiresManage multiple Claude Code, OpenCode agents from either TUI or Web for easy access on mobile. Also supports Mistral Vibe, Codex CLI, Gemini CLI, Pi.dev, Copilot CLI, Factory Droid Coding. Uses tmux and git worktrees.
Found a gem we're missing?
Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.