CAPSEM
Native AI Agent
Security

A Rust-powered hypervisor that sandboxes every AI coding agent in its own air-gapped Linux VM. See everything, control everything.

$ curl -fsSL https://capsem.dev/install.sh | sh
Learn More

Ready to code, out of the box

A fully configured Linux dev environment with your favorite AI agents, MCP tools, and packages pre-installed. Boot to prompt in under 10 seconds.

Broad agent support

All major AI coding agents, pre-installed and auto-configured for sandbox mode.

Claude Code Anthropic
Gemini CLI Google
Codex OpenAI

Native MCP gateway

Policy-checked tool access over vsock. Built-in tools plus custom MCP servers via fastmcp.

fetch_http Fetch and extract web content
grep_http Search web pages with regex
http_headers Inspect HTTP headers and status

Preconfigured environment

Python, Node.js, and 30+ packages ready to go. No setup required.

Python 3Node.js 24gituvnumpypandasscipyscikit-learnrequestshttpxbeautifulsoup4pytestrichmatplotlibfastmcp

Coming soon

Active development. Here's what's next.

  • VM checkpointing and restore
  • Linux host support
  • VS Code extension
  • Custom MCP server marketplace
Demo video

Security without compromise

ISOLATION

Hardware-level sandboxing with Apple Virtualization.framework

Each agent session boots a lightweight Linux VM with a read-only rootfs, no swap, no kernel modules, no debugfs. Air-gapped networking with a dummy NIC and fake DNS ensures nothing reaches the real network without going through the MITM proxy.

  • Ephemeral VMs -- fresh state every session
  • Read-only rootfs with tmpfs workspace
  • No systemd, no sshd, no cron -- minimal attack surface
Screenshot placeholder
INSPECTION

See everything your AI agent does on the network

A transparent MITM proxy terminates TLS from the guest using per-domain minted certificates, inspects every HTTP request and response, and applies policy before forwarding to the real upstream. Full request/response bodies are logged to a per-session SQLite database.

  • Per-domain TLS certificate minting
  • Method + path policy rules per domain
  • Full body capture for post-hoc analysis
Screenshot placeholder
CONTROL

Enterprise-grade policy with user and corp config layers

User-level config in ~/.capsem/user.toml lets developers customize domain lists and HTTP rules. Corp-level config at /etc/capsem/corp.toml (MDM-distributed) locks down policy with enterprise overrides that users cannot bypass.

  • Domain allow/block with wildcard support
  • HTTP method + path matching per domain
  • Corp config overrides user config entirely
Screenshot placeholder

How it works

A native macOS hypervisor creates an air-gapped Linux VM for each session. All network traffic is forced through an inspecting proxy on the host.

macOS Host
Tauri App
GUI + CLI interface
MITM Proxy
TLS termination + HTTP inspection
Policy Engine
Domain + HTTP + MCP rules
Session Telemetry
SQLite DB per session
Linux VM (air-gapped)
AI Agent
Claude / Gemini / Codex
PTY Agent
Terminal I/O over vsock
Net Proxy
TCP-to-vsock relay (iptables)
MCP Server
Tool relay over vsock
Internet (via host MITM proxy only)
FAQ

Frequently Asked
Questions

Still have a question?

Open an issue on GitHub

All guest HTTPS traffic is redirected through an iptables rule to a local TCP relay, which bridges to the host via vsock. The host terminates TLS using per-domain minted certificates (signed by a static Capsem CA baked into the guest's trust store), inspects the HTTP request, applies policy, and forwards to the real upstream.

Download Capsem

Open source, native macOS, boots in under 10 seconds.

$ curl -fsSL https://capsem.dev/install.sh | sh

or download the DMG directly

Download DMG View on GitHub

Requires macOS 14+ on Apple Silicon. Capsem uses Apple Virtualization.framework.