Your AI agent can rm -rf / and you're fine.
Auto-approve on your bare machine means the agent sees your SSH keys, other repos,
every credential on disk.
devcell puts a container between your project and everything else.
Your code goes in. Nothing else comes along.
"Run this in a container, not your actual machine."
— Anthropic, Claude Code documentation
Blast radius bounded
SSH keys, other repos, host APIs: unreachable. The agent edits freely inside your project. Your host system stays untouched.
One command, any project
cd my-project && cell claude. Working directory mounted automatically, no per-project config needed. Works with Codex and OpenCode too.
Version-locked toolchain
Go, Node.js, Python, Terraform, and more. Nix-pinned at build time. No download URLs that go stale, no version drift between machines.
Secrets never touch your disk
1Password secrets are resolved on the host, injected into the container as env vars, and written to a RAM-only tmpfs at /run/secrets/. When the container stops, they're gone. The LLM never sees actual credential values -- MCP tools resolve placeholder names server-side.
MCP servers with real tools behind them
Not just config stubs. KiCad, Inkscape, and OpenTofu ship in the image alongside their MCP servers, so the agent can actually run tofu plan, analyze PCBs, or edit SVGs. 12 servers today, more with each release.
Stealth Chromium, zero passwords
Run cell login on your host to log into any site — a clean browser opens (no CDP, no bot-detection triggers), you log in, press Enter. Cookies and localStorage sync to the container automatically. The agent never sees your password. Anti-fingerprint Playwright replays sessions that pass Cloudflare and Kasada.
Docker or VM — your choice
Default: Docker container, zero setup. Add --macos and devcell provisions a Debian ARM64 VM via Vagrant + UTM instead — same nixhome toolchain, same commands. Works for teams that can't use Docker Desktop or need native Linux on Apple Silicon.
Drop a .tool-versions for runtime versions, add packages via config, extend a stack with nix overlays, or fork nixhome and build your own. Upstream updates still merge cleanly.
Image stacks
Pick your stack.
Need a different mix? Set stack and modules in your devcell.toml to combine what you need.
base
go
node
python
fullstack
electronics
ultimate
Dev essentials
✓
✓
✓
✓
✓
✓
✓
Go environment
—
✓
—
—
✓
—
✓
Node.js environment
—
—
✓
—
✓
—
✓
Python environment
—
—
—
✓
✓
—
✓
Infra tools
—
✓
—
—
✓
—
✓
Stealth browser
—
—
✓*
✓*
✓*
—
✓
Electronics & DIY
—
—
—
—
—
✓
✓
GUI desktop
—
—
—
—
—
✓
✓
12+ MCP servers
—
—
—
—
—
—
✓
* Headless only. GUI desktop (VNC/RDP) available in electronics and ultimate stacks.
Multi-arch: linux/amd64 and linux/arm64. Published to public.ecr.aws/w1l3v2k8/devcell.
Base nix image size ~1.3 GB.
Common questions
FAQ
Do I need an API key or Claude subscription?
Bring your own license or model. Claude Max, Pro, and API keys all work — devcell starts the same client you already use, just inside a container. Same goes for Codex and OpenCode.
Can I run DevCell without Docker — e.g. natively on Apple Silicon?
Yes. Pass --engine=vagrant (or --macos) and devcell provisions a Debian ARM64 VM via Vagrant and UTM instead of a Docker container. The same nixhome toolchain installs via Nix inside the VM. All cell commands work identically: cell claude --macos, cell build --macos, cell rdp --macos. The VM shows up alongside Docker cells in cell rdp --list.
How does the agent log into websites without seeing passwords?
Run cell login <url> on your host to open a real browser window — no CDP, no debugging ports that trip bot detection. Log in normally, press Enter, and devcell extracts cookies and localStorage via a headless CDP pass after the browser closes. Playwright inside the container replays the session without ever exposing credentials to the agent. Add --force to wipe a stale session and start fresh.
How does 1Password integration work?
List document names under [op] documents in devcell.toml. On cell start, the CLI reads each 1Password document on your host (requires op CLI and an active session), maps every field to an env var by label, and injects them into the container at runtime. Secrets are written to a RAM-only tmpfs at /run/secrets/ — they're gone when the container stops and never touch disk inside the container.
How is DevCell different from Dev Containers?
Dev Containers are editor-first — you write a Dockerfile + devcontainer.json per project for VS Code or GitHub Codespaces. DevCell is agent-first: one command, 7 pre-built Nix-pinned stacks, 12+ MCP servers auto-merged at startup, stealth Chromium + Playwright, VNC/RDP built in, and 1Password secret injection. No per-project Dockerfile maintenance.
How is DevCell different from OpenClaw?
OpenClaw is a multi-channel messaging gateway (WhatsApp, Telegram, Slack) with AI features. DevCell is a sandboxed coding environment for AI agents. Key differences: DevCell has mandatory container isolation (OpenClaw is network-exposed by default with multiple critical CVEs in 2026), curated MCP servers with backing tools shipped in the image (OpenClaw has an open marketplace with 1,184 malicious skills found), and Claude Max/Pro subscriptions work directly (OpenClaw requires API keys since Anthropic blocked subscription auth in Jan 2026).
How does cell models work — do I need a local GPU?
No GPU needed. cell models fetches live models from OpenRouter (Anthropic, OpenAI, Google) and shows them alongside any locally installed ollama models, ranked by SWE-Bench score and speed. Set [llm.models] default in devcell.toml to pin a model; with --ollama enabled, cell claude auto-selects the best-ranked local model if nothing is pinned.
Can the agent install packages inside the container?
Yes. The agent can run apt, npm install, pip install, nix — whatever the project needs. Network access is unrestricted. Port forwarding and extra volume mounts are configurable in devcell.toml.
What about file permissions?
Permissions are pass-through. The container user matches your host UID, so files the agent creates are owned by you. No chown headaches.
Does my existing Claude Code config carry over?
Your project-level config (CLAUDE.md, .claude/) is mounted with your project. Host ~/.claude/skills is mounted read-write, the rest of ~/.claude is read-only. Your host-machine config stays safe. (Subject to change.)
Why not just run Docker myself?
You can. devcell saves you from maintaining a Dockerfile per project, wiring up MCP server configs, forwarding git identity, injecting secrets, and setting up entrypoint orchestration. One command instead of 20 minutes of Docker plumbing.
How big are the images?
Base is ~1.3 GB, ultimate is ~20 GB. First run lets you pick a stack and builds automatically. Base builds in under 2 minutes, ultimate takes ~5 minutes.
