Code on Incus gives every AI coding agent its own isolated machine
Code on Incus isolates AI coding agents in secure system containers with real-time threat detection, protecting host machines from credential leaks and attacks.
Code on Incus (COI), an open-source tool by Mensfeld, runs AI coding agents like Claude Code, opencode, and pi inside full system containers isolated from the host machine. Each agent gets root access, systemd, Docker, and package management—operating like a real server—while credentials such as SSH keys and Git tokens never enter the container unless explicitly mounted.
The tool adds active defense through kernel-level nftables monitoring that detects reverse shells, C2 connections, data exfiltration, and credential scanning in real time. High-severity threats trigger automatic pausing, and critical threats trigger automatic container termination—no manual intervention required. This matters for engineers running multiple parallel AI agents who need isolation without giving up visibility into agent behavior.
Unlike Docker, COI uses unprivileged system containers for stronger isolation, with automatic UID mapping, persistent sessions across restarts, snapshot/rollback support, and read-only protection for sensitive paths like .git/hooks. The project is positioned not as a product or startup, but as a practical tool built by developers who needed to safely run autonomous coding agents.