What is Caged?
Caged gives AI coding agents a safe, isolated place to work — away from your local machine. Send agents like Claude Code, Codex, Cursor, or Aider into cloud sandboxes backed by Firecracker microVMs. Every session is automatically:Isolated
Each sandbox runs its own Linux kernel — VM boundary, not container namespace. Full OS-level isolation.
Observed
Every file change, terminal command, and LLM call is recorded in real-time. Nothing happens in the dark.
Costed
Real-time dollar tracking of LLM tokens + compute time. Set budget guards to prevent runaway costs.
Scored
Trust score (0-100) based on agent behavior. Penalizes risky actions like file deletion or network exfiltration.
Why Caged?
Running AI agents on your local machine is risky:| Problem | Without Caged | With Caged |
|---|---|---|
| Agent deletes files | Your files are gone | Sandbox is disposable |
| Agent installs malware | Your machine is compromised | VM is destroyed after |
| Agent runs up a $500 bill | You find out next month | Budget guard kills it at $5 |
| Agent does something sketchy | You have no idea | Full replay + trust score |
| Two agents conflict | They fight over the same files | Each gets its own sandbox |
How It Works
Components
| Component | Description |
|---|---|
| API Server | Go backend managing sandboxes, auth, billing, events |
| CLI | caged command-line tool for creating and managing sandboxes |
| Dashboard | Web UI for monitoring sandboxes, viewing replays, managing billing |
| SDKs | TypeScript and Python libraries for programmatic access |
| Sandbox Agent | Process inside each VM that relays events to the platform |
Next Steps
Quickstart
Create your first sandbox in 2 minutes
Concepts
Understand sandboxes, sessions, and trust scores
Config-as-Code
Add .caged.yaml to your repo
API Reference
Full REST API documentation