CAPSEM
The fastest way to
ship with AI securely.
A Rust-powered hypervisor that sandboxes every AI coding agent in its own air-gapped Linux VM. See everything, control everything.
curl -fsSL https://capsem.org/install.sh | sh Ready to code, out of the box
A fully configured Linux dev environment with your favorite AI agents, MCP tools, and packages pre-installed. Boot to prompt in under 10 seconds.
Broad agent support
All major AI coding agents, pre-installed and auto-configured for sandbox mode.
Native MCP endpoint
Policy-checked tool access over vsock. Built-in tools plus custom MCP servers via fastmcp.
fetch_http Fetch and extract web contentgrep_http Search web pages with regexhttp_headers Inspect HTTP headers and statusPreconfigured environment
Python, Node.js, and 30+ packages ready to go. No setup required.
Coming soon
Active development. Here's what's next.
- VM checkpointing and restore
- Windows and ChromeOS host support
- VS Code extension
- Custom MCP server marketplace
Security without compromise
Hardware-level sandboxing with Apple Virtualization.framework
Each agent session boots a lightweight Linux VM with a read-only rootfs, no swap, no kernel modules, no debugfs. Air-gapped networking with a dummy NIC and fake DNS ensures nothing reaches the real network without going through the MITM proxy.
- Ephemeral VMs -- fresh state every session
- Read-only rootfs with tmpfs workspace
- No systemd, no sshd, no cron -- minimal attack surface
See everything your AI agent does on the network
A transparent MITM proxy terminates TLS from the guest using per-domain minted certificates, inspects every HTTP request and response, and applies policy before forwarding to the real upstream. Full request/response bodies are logged to a per-session SQLite database.
- Per-domain TLS certificate minting
- Method + path policy rules per domain
- Full body capture for post-hoc analysis
Enterprise-grade policy with user and corp config layers
User-level config in ~/.capsem/user.toml lets developers customize domain lists and HTTP rules. Corp-level config at /etc/capsem/corp.toml (MDM-distributed) locks down policy with enterprise overrides that users cannot bypass.
- Domain allow/block with wildcard support
- HTTP method + path matching per domain
- Corp config overrides user config entirely
How it works
A native macOS hypervisor creates an air-gapped Linux VM for each session. All network traffic is forced through an inspecting proxy on the host.
Containers are excellent for packaging and reproducibility, but they share the host kernel. Capsem runs each AI agent in its own Linux VM, giving the sandbox a separate kernel, filesystem, process tree, and network stack. That stronger boundary also enables true air-gapping, policy-controlled egress through Capsem's proxy, clean teardown of the whole machine state, snapshots and forks, and explicit host/guest control over vsock. Containers can still be useful inside a Capsem VM, but they are not strong enough to be the outer sandbox boundary.
Download Capsem
Open source, native packages for macOS and Linux.
curl -fsSL https://capsem.org/install.sh | sh or download a package directly
Requires macOS 14+ on Apple Silicon, or Debian/Ubuntu with KVM. Capsem uses Apple Virtualization.framework on macOS and KVM on Linux.