Safe Autonomy
Permission Fatigue
Constant prompts disrupt your flow and stop agents from working unsupervised.
YOLO Is Risky
Unrestricted permissions mean an over-eager agent can corrupt your system, leak credentials, or worse.
Sandbox It
Cloister lets you work productively in a safe environment where mistakes can't escape.
How It Works
Your project runs in an unprivileged Docker container on an isolated network.
A guardian proxy controls all outbound traffic.
Filesystem Isolation
Agents see only your project directory, with no access to files on your system. Mistakes stay git-recoverable.
Network Allowlist
Only allowlisted domains are reachable: AI APIs, package registries, documentation. No surprise outbound connections.
Human-in-the-Loop
The hostexec escape hatch only surfaces requests matching pre-configured patterns, keeping interruptions relevant.
Key Features
Quick Start
# Install curl -fsSL https://raw.githubusercontent.com/xdg/cloister/main/install.sh | sh # One-time setup: configure your AI agent credentials cloister setup claude # Start a cloister for your project cd your-project cloister start # You're now inside the cloister with your project mounted at /work cloister:my-project:/work$ # claude is aliased to `claude --dangerously-skip-permissions` cloister:my-project:/work$ claude
Guardian proxy starts automatically on first use. Monitor at http://localhost:9999