Dejima
alpha
For teams who have to prove what their agents did.
Agents in your perimeter — audited by design.
Run AI coding agents on infrastructure your team controls, where every privileged action is brokered and recorded. Nothing — not your code, not your agents — leaves your boundary.
Where this is today: the containment and audit foundations below are shipped and in use — and so are team roles, the activity feed, and audit export (see team controls). What's still on the roadmap is compliance-reporting polish: configurable retention and audit dashboards. If you have a regulated or client-confidential use case, we'd like to hear it: reach out on GitHub.
Private by default
The agents' LLM calls go out — but your source, your files, and your credentials never leave your box. There's no managed cloud in the loop and no vendor account holding your work:
- Your hardware, your perimeter. Run it locally on a Mac mini, on an on-prem server, on a cloud VM in your own account, or on an air-gapped host — same Dejima either way. Egress policy is yours to set.
- Your identity, not a vendor's. Access is your Tailscale identity over your tailnet — not a third-party login.
- Attenuated credentials. Each island gets a scoped, per-island token; your master GitHub and provider credentials are never handed to an agent.
- Clean teardown.
dejima purgedestroys an island and its volumes when the engagement ends.
Audited by design
The thing autonomous agents make hard — trusting a privileged actor with tool access — is exactly what Dejima is built to contain:
Deny-all host access
Islands can't see your host filesystem. You grant scoped, read-only folders explicitly with dejima port grant; an island can never widen its own access.
Brokered crossings
Every file in or out of an island goes through the Port broker — read-only intake from host, append-only trade back out. No silent mounts.
Tamper-evident ledger
Every brokered crossing is written to a hash-chained, append-only log outside any container. Reordered or missing entries break the chain. Verify with dejima audit --verify.
Contained, even when always-on
Run a 24/7 assistant as a Home Island — it reaches host content only through the same brokered, logged path, so a prompt-injected agent still can't escape.
Team access & audit — shipped
Several people can share one daemon, each acting only within their authority, with a readable record of who did what:
Setting someone up? The step-by-step for both sides, and the single link you hand a teammate, is on connect to a server.
Roles & scoped tokens
Owner, operator, and viewer roles, minted as bearer tokens you can scope to specific islands: dejima token create --role operator --island foo. Operators run the fleet but can't purge; viewers only observe. No token grants more than the daemon already does. Prefer the dashboard? Press I in dejima for the owner-only Team panel, which mints an operator or viewer invite to copy.
Activity feed
A curated timeline — who launched what, which agent did what — filterable by actor, island, and decision (GET /v1/activity). Built on the same ledger, readable by any viewer.
Audit viewer & export
Read, filter, and export the ledger as a compliance record — JSON, JSONL, or CSV — via dejima audit, the TUI audit pane (A), or GET /v1/audit. Whole-chain tamper-verification runs on every read.
On the roadmap in progress
Roles, the activity feed, and audit export are shipped (above). What's still ahead is compliance-reporting polish:
- Retention controls — configurable retention for the audit record.
- Audit dashboards & multi-org rollups — compliance-grade reporting over the ledger, beyond read/export.
- SSO/SAML — integrates through your own control plane; today Dejima authenticates with your Tailscale identity plus scoped per-island tokens.
Tracking the order of these against real use cases — if yours would move one up, tell us.
Have a regulated or confidential use case?
Tell us what you're trying to run and what you need to prove. It shapes what ships next.
Reach out on GitHub →