AI Agent Sandbox · Open Source · Apache 2.0 · ★ Star on GitHub · v0.4.2

Agentic Coding,
Without the
Blast Radius.

Your AI agent can rm -rf / and you're fine. Auto-approve on your bare machine means the agent sees your SSH keys, other repos, every credential on disk.

devcell puts a container between your project and everything else. Your code goes in. Nothing else comes along.

View on GitHub → Quickstart

~/myproject $ cell claude

Opening Cell myproject …

✔ mounted /home/alex/myproject

───────────────────────────────────────

  Claude Code
· Sonnet 4.6 · Claude Max
  /myproject

───────────────────────────────────────

❯ implement login form

───────────────────────────────────────

⏵⏵ auto-approve · [*.] Cell Active

Why it matters

Auto-approve, safely.

"Run this in a container, not your actual machine."
— Anthropic, Claude Code documentation

Blast radius bounded

SSH keys, other repos, host APIs: unreachable. The agent edits freely inside your project. Your host system stays untouched.

One command, any project

cd my-project && cell claude. Working directory mounted automatically, no per-project config needed. Works with Codex and OpenCode too.

Version-locked toolchain

Go, Node.js, Python, Terraform, and more. Nix-pinned at build time. No download URLs that go stale, no version drift between machines.

Secrets never touch your disk

1Password secrets are resolved on the host, injected into the container as env vars, and written to a RAM-only tmpfs at /run/secrets/. When the container stops, they're gone. The LLM never sees actual credential values -- MCP tools resolve placeholder names server-side.

MCP servers with real tools behind them

Not just config stubs. KiCad, Inkscape, and OpenTofu ship in the image alongside their MCP servers, so the agent can actually run tofu plan, analyze PCBs, or edit SVGs. 12 servers today, more with each release.

Stealth Chromium built in

Anti-fingerprint Chromium with Playwright, ready for scraping and browser automation. Passes bot detection out of the box. Connect via VNC or RDP to watch it work.

Getting started

Quickstart

1

Install

brew install DimmKirr/tap/devcell. Requires docker.
Platforms: macOS, Linux, Windows^{(not verified yet)}
2

Run from any project

cd my-project && cell claude. First run picks a stack, scaffolds config, and builds. Works with cell codex and cell opencode too.

    
# macOS & Linuxbrew install DimmKirr/tap/devcell# run from any project directorycd ~/dev/my-projectcell claude

What's inside

What ships in the box.

Everything below ships in the ultimate stack. Pick a focused stack below and get exactly what you need.

AI Agents Claude Code · OpenAI Codex · OpenCode

Languages & Runtimes Go · Node.js · Python · Ruby · Swift / LLVM

Infrastructure & IaC Terraform · OpenTofu · Docker · Compose · Packer · Helm · Nix

Finance & Data Yahoo Finance · EdgarTools SEC · FRED API

Productivity & Travel Linear · Notion · Inoreader RSS · Google Maps · TripIt

Electronics & Design KiCad · Inkscape (vector graphics) · ngspice · ESPHome · wokwi-cli

Desktop & Browser VNC · RDP · Chromium (stealth) · Playwright · PulseAudio

Drop a .tool-versions for runtime versions, add packages via config, extend a stack with nix overlays, or fork nixhome and build your own. Upstream updates still merge cleanly.

Image stacks

Pick your stack.

Need a different mix? Set stack and modules in your devcell.toml to combine what you need.

	base	go	node	python	fullstack	electronics	ultimate
Dev essentials	✓	✓	✓	✓	✓	✓	✓
Go environment	—	✓	—	—	✓	—	✓
Node.js environment	—	—	✓	—	✓	—	✓
Python environment	—	—	—	✓	✓	—	✓
Infra tools	—	✓	—	—	✓	—	✓
Stealth browser	—	—	✓^*	✓^*	✓^*	—	✓
Electronics & DIY	—	—	—	—	—	✓	✓
GUI desktop	—	—	—	—	—	✓	✓
12+ MCP servers	—	—	—	—	—	—	✓

^* Headless only. GUI desktop (VNC/RDP) available in electronics and ultimate stacks.

Multi-arch: linux/amd64 and linux/arm64. Published to ghcr.io/dimmkirr/devcell.

Base nix image size ~1.3 GB.

Common questions

FAQ

Do I need an API key or Claude subscription?

Bring your own license or model. Claude Max, Pro, and API keys all work — devcell starts the same client you already use, just inside a container. Same goes for Codex and OpenCode.
How is DevCell different from Dev Containers?

Dev Containers are editor-first — you write a Dockerfile + devcontainer.json per project for VS Code or GitHub Codespaces. DevCell is agent-first: one command, 7 pre-built Nix-pinned stacks, 12+ MCP servers auto-merged at startup, stealth Chromium + Playwright, VNC/RDP built in, and 1Password secret injection. No per-project Dockerfile maintenance.
How is DevCell different from OpenClaw?

OpenClaw is a multi-channel messaging gateway (WhatsApp, Telegram, Slack) with AI features. DevCell is a sandboxed coding environment for AI agents. Key differences: DevCell has mandatory container isolation (OpenClaw is network-exposed by default with multiple critical CVEs in 2026), curated MCP servers with backing tools shipped in the image (OpenClaw has an open marketplace with 1,184 malicious skills found), and Claude Max/Pro subscriptions work directly (OpenClaw requires API keys since Anthropic blocked subscription auth in Jan 2026).
Can the agent install packages inside the container?

Yes. The agent can run apt, npm install, pip install, nix — whatever the project needs. Network access is unrestricted. Port forwarding and extra volume mounts are configurable in devcell.toml.
What about file permissions?

Permissions are pass-through. The container user matches your host UID, so files the agent creates are owned by you. No chown headaches.
Does my existing Claude Code config carry over?

Your project-level config (CLAUDE.md, .claude/) is mounted with your project. Host ~/.claude/skills is mounted read-write, the rest of ~/.claude is read-only. Your host-machine config stays safe. (Subject to change.)
Why not just run Docker myself?

You can. devcell saves you from maintaining a Dockerfile per project, wiring up MCP server configs, forwarding git identity, injecting secrets, and setting up entrypoint orchestration. One command instead of 20 minutes of Docker plumbing.
How big are the images?

Base is ~1.3 GB, ultimate is ~20 GB. First run lets you pick a stack and builds automatically. Base builds in under 2 minutes, ultimate takes ~5 minutes.

Agentic Coding,Without theBlast Radius.

Auto-approve, safely.

Blast radius bounded

One command, any project

Version-locked toolchain

Secrets never touch your disk

MCP servers with real tools behind them

Stealth Chromium built in

Quickstart

Install

Run from any project

What ships in the box.

Pick your stack.

FAQ

Ready to try it?

Agentic Coding,
Without the
Blast Radius.