日本語 | English

A security harness that isolates AI coding agents (Claude Code / Codex CLI / Gemini CLI) inside Docker containers and forces all outbound traffic through mitmproxy. Payload inspection plus TOML policy control physically prevent data exfiltration and dangerous command execution, without relying on the agent's own trustworthiness.

uv tool install agent-zoo                      # install from PyPI
mkdir my-zoo && cd my-zoo
zoo init                                       # secure by default: empty allow list (Inbox approval required)
# or: zoo init --policy claude                 # allow Anthropic/Claude only
# or: zoo init --policy {codex,gemini,all}     # see `zoo init --help`
zoo build                                      # build the claude image (5-10 min)
zoo run                                        # interactive mode (first run prompts /login)

zoo init now defaults to --policy minimal (empty domains.allow.list) so that the first outbound request is rejected and surfaced to the Inbox for per-request approval. Pick another profile (claude / codex / gemini / all) to preseed the allow-list, or edit .zoo/policy.toml directly. Live audit is available through the dashboard (zoo up --dashboard-only, http://localhost:8080).

• Docker isolation: agent containers run on an internal: true network, cut off from the host OS and other containers; the only egress is the mitmproxy sidecar
• Domain allow-list: outbound destinations are explicitly enumerated in policy.toml, with hot reload support
• Payload inspection: request and response bodies are inspected (Base64 decoding, secret patterns, URL-embedded secrets)
• tool_use detection: SSE streams are parsed and dangerous tool invocations are blocked at the request hook
• Dashboard auditing: requests / tool_uses / blocks shown live, with whitelist nurturing and Inbox (agent-to-human approval requests)
• Agent-agnostic: same harness covers Claude Code / Codex CLI / Gemini CLI; the unified image enables cross-agent invocation

MIT