~ / inner / overview
bwrap 0.9.0 kernel 6.8.0 user-ns ✓
v0.5.1 linux/amd64 · arm64 Apache-2.0

$Run agents in a box you actually trust.

inner is a Linux CLI that wraps Claude Code, Aider, Gemini and ordinary shells in bubblewrap-backed sandboxes. Reproducible profiles control exactly which paths are mounted, which env vars survive, and whether the network is reachable. Nothing more.

Download v0.5.1 Getting Started View source
bwrap 0.9.0+ kernel 5.10+ Go 1.24 to build
inner run -p claude-interactive -w ~/projects/myapp
PID 84122 · t+0.024s
HOST · LINUX/ (root)~/projects/myapp~/datasets~/.config/git~/.ssh/id_ed25519ENVIRONMENTANTHROPIC_API_KEY=sk-ant-…GITHUB_TOKEN=ghp_…BWRAP · NAMESPACESANDBOX · CLAUDE-INTERACTIVE/ (sandbox root)/workspaceRW/dataROnet: denied
read-write mount
read-only mount
stripped / blocked
bwrap boundary
// THE FOUR PILLARS

Trust the sandbox, not the agent.

Agentic CLIs need broad filesystem access and the ability to execute arbitrary commands. inner gives them a smaller, well-defined world to play in.

01 Process isolation

Each run is wrapped in a fresh set of Linux kernel namespaces — pid, mount, user, net, ipc, uts. The agent can’t see your other processes.

unshare(CLONE_NEW{PID,NS,USER,NET,IPC,UTS})
02 Filesystem separation

The sandbox sees only what the profile mounts. Read-only by default; explicit rw on directories you name. Everything else is invisible.

--ro-bind /usr /usr --bind /workspace /workspace
03 Environment sanitization

Sensitive variables — git creds, ssh-agent, cloud tokens — are stripped before exec. The profile names the few that pass through.

passthrough = ["ANTHROPIC_API_KEY", "DISPLAY", "PATH"]
04 Security verification

inner verify runs a battery of checks against a profile — host paths leaking in, agent sockets reachable, dangerous capabilities. Catches mistakes before agents do.

$ inner verify -p claude-containers --suggest

inner is a Linux CLI tool that runs scripts and agentic tools — Claude Code, Gemini, interactive shells — in isolated, reproducible sandbox environments backed by bubblewrap (bwrap).

Latest release: Download from GitHub Releases

Why inner?

Agentic tools have broad filesystem access and execute arbitrary commands. inner provides a layer of isolation so you can run them safely:

  • Process isolation via Linux kernel namespaces
  • Filesystem separation — the sandbox sees only what you explicitly mount
  • Environment sanitization — sensitive variables and git credentials are stripped
  • Security verification — detect if sensitive host resources leak into the sandbox
  • Reproducibility — configuration-driven profiles define exactly what each run can access

How it works

inner reads a profile (a TOML file in ~/.config/inner/profiles/) and uses it to construct a bwrap command that wraps your tool. The profile controls network access, mounted paths, environment variables, command shimming, and more.

inner run -p claude-one-shot --arg "refactor the auth module"

Documentation

PageDescription
Getting StartedInstall, first run, environment check
CommandsFull command and flag reference
ProfilesProfile TOML configuration reference
AliasesDefine short names for frequently used commands
ExamplesCommon usage patterns with explanations
Cheat SheetQuick reference for commands and tasks
DevelopmentBuild, test, dev mode, release
Internalsbwrap command construction, flag decisions, architecture

Requirements

  • Linux (kernel namespaces required)
  • bwrap (bubblewrap) installed
  • Unprivileged user namespaces enabled (/proc/sys/kernel/unprivileged_userns_clone = 1)
  • Go 1.24+ (to build from source)

License

inner is released under the Apache License, Version 2.0.