Dejima alpha

For teams who have to prove what their agents did.

Agents in your perimeter — audited by design.

Run AI coding agents on infrastructure your team controls, where every privileged action is brokered and recorded. Nothing — not your code, not your agents — leaves your boundary.

Where this is today: the containment and audit foundations below are shipped and in use — and so are team roles, the activity feed, and audit export (see team controls). What's still on the roadmap is compliance-reporting polish: configurable retention and audit dashboards. If you have a regulated or client-confidential use case, we'd like to hear it: reach out on GitHub.

Private by default

The agents' LLM calls go out — but your source, your files, and your credentials never leave your box. There's no managed cloud in the loop and no vendor account holding your work:

Audited by design

The thing autonomous agents make hard — trusting a privileged actor with tool access — is exactly what Dejima is built to contain:

Deny-all host access

Islands can't see your host filesystem. You grant scoped, read-only folders explicitly with dejima port grant; an island can never widen its own access.

Brokered crossings

Every file in or out of an island goes through the Port broker — read-only intake from host, append-only trade back out. No silent mounts.

Tamper-evident ledger

Every brokered crossing is written to a hash-chained, append-only log outside any container. Reordered or missing entries break the chain. Verify with dejima audit --verify.

Contained, even when always-on

Run a 24/7 assistant as a Home Island — it reaches host content only through the same brokered, logged path, so a prompt-injected agent still can't escape.

Team access & audit — shipped

Several people can share one daemon, each acting only within their authority, with a readable record of who did what:

Setting someone up? The step-by-step for both sides, and the single link you hand a teammate, is on connect to a server.

Roles & scoped tokens

Owner, operator, and viewer roles, minted as bearer tokens you can scope to specific islands: dejima token create --role operator --island foo. Operators run the fleet but can't purge; viewers only observe. No token grants more than the daemon already does. Prefer the dashboard? Press I in dejima for the owner-only Team panel, which mints an operator or viewer invite to copy.

Activity feed

A curated timeline — who launched what, which agent did what — filterable by actor, island, and decision (GET /v1/activity). Built on the same ledger, readable by any viewer.

Audit viewer & export

Read, filter, and export the ledger as a compliance record — JSON, JSONL, or CSV — via dejima audit, the TUI audit pane (A), or GET /v1/audit. Whole-chain tamper-verification runs on every read.

On the roadmap in progress

Roles, the activity feed, and audit export are shipped (above). What's still ahead is compliance-reporting polish:

Tracking the order of these against real use cases — if yours would move one up, tell us.

Have a regulated or confidential use case?

Tell us what you're trying to run and what you need to prove. It shapes what ships next.

Reach out on GitHub →