Dejima free · open source

Keep AI coding agents off your private files

You want an agent's help on your code without handing it the run of your machine. Dejima makes that the default. An agent sees nothing of your disk until you give it one folder, and every time it reaches across, there's a record.

Who this is for

Anyone running AI coding agents on a machine that holds things the agent has no business reading: a solo developer with client repos checked out, a consultant under NDA, anyone whose laptop has SSH keys, cloud credentials, and half a dozen other projects on it. If "what could this agent reach if it went wrong?" is a question you've asked, this is for you.

The risk you're carrying

An AI agent you run the normal way runs as you. It has your access. That means it can read your ~/.ssh keys, every repository you have checked out, your .env files, your cloud credentials, and your shell history. It doesn't have to be malicious to be a problem. One confused tool call, or one prompt injection from a web page it fetched, and the blast radius is everything you can touch.

The usual answer is to watch it closely and hope. Containment is a better answer.

How Dejima keeps them out

Deny-all by default

Each agent runs in an island, a container that can't see your host files at all. No shared mount, no path it can reach by guessing. The starting point is zero access.

One folder, read-only

Hand over exactly what an agent needs with dejima port grant, scoped to a single folder and read-only, through a broker. See the guide.

A record of every crossing

Every file that crosses is written to a tamper-evident ledger you can read and verify. You can prove what an agent touched. See the guide.

You don't lose the help

Containment isn't the same as cutting the agent off. When it genuinely needs a dataset, a folder of docs, or a config, you grant that one folder and it works normally. The difference is that the access is deliberate, scoped, read-only by default, revocable in one command, and logged. The agent gets what it needs and nothing else.

It also runs on hardware you own, so your code and credentials never leave your box in the first place. Only the model API call goes out. See running agents locally, contained for the setup.

Common questions

Can an AI coding agent access my private files?

Not in Dejima, unless you let it. Each agent runs in a container that's denied all host-file access by default. It sees only the folders you explicitly grant, read-only if you choose, and every access is logged.

How do I stop an AI agent from reading my SSH keys or other repos?

Run it in Dejima. The agent's island can't see your home directory, your keys, or your other projects. You grant one folder at a time through a broker, and nothing else on your machine is reachable.

What happens if an agent gets prompt-injected?

Containment limits the damage. A hijacked agent still can't reach anything you didn't grant, can't widen its own access, and every crossing it does make is recorded, so you can see exactly what it touched.

Give an agent help, not your whole disk

Free and open source. One command on a box you own.

Get started →

Related: Scope an agent to one folder · Audit what your agent did · all use cases