Dejima free · open source

You're still SSHing into tmux to run your agents?

It works. Then Wi-Fi drops mid-run and you're guessing whether the detach was clean, three agents means three panes and a window-switching habit, and moving to a second device means hunting for the right session. Fine for one agent; for a fleet it's a daily tax. There's a quieter cost underneath, too: each agent runs as you, reaching your keys and files with no record of what it touched. Here's where the tmux-and-SSH setup runs out of road, and what to put in its place on the same box.

The setup everyone starts with

You bought a Mac mini, or you have a Linux box in the closet, and you want agents working while you sleep. So you do the obvious thing.

ssh you@mac-mini
tmux new -s claude
# start an agent, detach, ssh back in later to check on it

One pane per agent. You detach, you reconnect from your laptop, you scroll up to see what happened. For one agent on one repo, this is genuinely fine. Don't let anyone tell you otherwise.

The trouble starts when there are three of them.

Where it breaks

Every agent in that setup runs as you, on your box, with your everything. That's the whole problem, and it shows up in five places.

None of these are tmux's fault. tmux is a terminal multiplexer doing exactly its job. It was never meant to be the security boundary for an autonomous process with your credentials.

Two diagrams of a Mac mini. On the left, tmux + SSH: three agents share one box, each with open lines to your files, ~/.ssh, and API tokens, and to each other. On the right, Dejima: three agents in sealed islands, all reaching host files through a single broker gate that grants read-only access and writes every crossing to a ledger.
Same hardware. The difference is what each agent can reach, and whether you can prove what it did.
Text version
TODAY — tmux + SSH                WITH DEJIMA
your Mac mini                     your Mac mini
  claude  claude  claude            [a1 agent] [a2 agent] [a3 agent]   sealed
     \      |      /                       \      |      /
      open reach to:                        one broker gate
   your files · ~/.ssh · tokens          your files (read-only) → ledger

Every agent reads everything.     Deny-all. One gated crossing,
No record of what it touched.     granted read-only, every crossing logged.

The fix: same instinct, contained

You don't have to give up the part that works. You still own the hardware, you still reach it over your own network, you still have agents running while you're away. What changes is the box each agent runs in.

Dejima puts every agent in its own container it calls an island. The island can't see your host files. It can't see the other islands. Host access is off by default, and you grant folders one at a time, read-only, through a broker that writes every crossing to a tamper-evident log. Same Mac mini. Walls added.

# on the Mac mini, once
curl -fsSL https://dejima.tech/install.sh | bash

# spin up an island from a repo (it seeds the first agent for you)
dejima init --repo git@github.com:you/web.git

# add a second agent in the same island
dejima agent add web --type codex

# run it: the TUI shows every island and agent in one place
dejima

From there you attach with dejima connect web, and the session survives a dropped connection and follows you to a second device. The same install sets up Docker, the background service, and your Tailscale identity, so "set up the infrastructure" isn't a project you do first.

Now walk back through the five failures:

The honest version: if you run exactly one agent on one repo and never touch anything sensitive, tmux is fine and you don't need this. The moment you're running a fleet, or the code is under NDA, or you'd have to answer "what did it do," the box matters.

It's the same hardware and the same habit of reaching into your own machine. The agents just stop being able to wander.

Common questions

What's wrong with running agents in tmux over SSH?

tmux draws a box around a terminal, not around what runs in it. Each agent runs as you, with access to your keys, every repo, and your shell history, and nothing records what it touched. For one agent it's fine; for several it leaves you no isolation and no audit trail.

How do I move from tmux to Dejima?

Install Dejima on the same box, point an island at your repo, and add your agent. You still own the hardware and reach it the same way, but each agent now runs in a sealed container with brokered host access and a dashboard. The walkthrough prompt below guides you through it.

Have an AI walk you through it

Paste this into your own AI and it'll guide you through moving off tmux, adapted to your setup.

Open in Claude → Open in ChatGPT → Opens in your own AI. Nothing is sent to us.

Install Dejima and run your first island →

Next: Turn a Mac mini into an AI agent server in 5 minutes · All guides