# greywall > Container-free, deny-by-default sandbox for AI coding agents. Kernel-enforced filesystem, network, and syscall isolation for Linux and macOS - **URL**: https://www.freshcrate.ai/projects/greywall - **Author**: GreyhavenHQ - **Category**: Security - **Latest version**: `v0.3.7` (2026-06-01) - **License**: Apache-2.0 - **Source**: https://github.com/GreyhavenHQ/greywall - **Homepage**: https://greywall.io - **Language**: Go - **GitHub**: 161 stars, 24 forks - **Registry**: github - **Tags**: `agents`, `ai-security`, `claude-code`, `developer-tools`, `go`, `greyproxy`, `landlock`, `linux`, `llm` ## Description Container-free, deny-by-default sandbox for AI coding agents. Kernel-enforced filesystem, network, and syscall isolation for Linux and macOS ## Recent releases | Version | Date | Urgency | Changes | | --- | --- | --- | --- | | `v0.3.7` | 2026-06-01 | High | ## Changelog ### New Features * 5581056d0523bfa244d8061008744ed9f72a0361 feat: add NixOS support (#93) | | `v0.3.6` | 2026-05-22 | High | ## Changelog ### New Features * 1ab2de35d61c7bb9ef49aa3230b32efdde05215e feat(cli): --allow-path / --allow-read-path for per-session filesystem grants (#100) ### Bug fixes * 6a9556506d840924052e39c7a1d7e4d22144b838 fix(cli): keep --allow rules working under --proxy-user (#96) (#97) | | `v0.3.4` | 2026-05-20 | High | ## Changelog ### New Features * efde7def88b2c29b3f7c7669f0f58873dd10a0bf feat(watch): --watch observability mode and greywatch alias (#94) * 2868d61241a7f151b73e9bcf500439f8b94541d3 feat: macos per session tmpdir (#90) ### Bug fixes * ffb2515b9b1afc92297ada64072fba7fb2748c5c fix(brew): expose greywatch alias in PATH via cask binary target (#95) * dba3c338c45e7e5bb12e2bab4256cf2dc490bce7 fix: allow terminal ioctls under landlock (#92) | | `v0.3.3` | 2026-04-23 | High | ## Changelog ### New Features * 57cf0cdba0457832751718b06182bcd68999745a feat(cli): --proxy-user to inject a caller-chosen SOCKS5 username (#87) | | `v0.3.2` | 2026-04-14 | High | ## Changelog ### New Features * 49842339136c465dbc1219f3f8fcc6e71403258f feat(prompt): show profile network rules in first-run prompt (#82) ### Documentation updates * fdd9f1da149e620b7ec60f08a39f7d216023f0dd docs: sync from docusaurus site (#78) ### Other work * eba81a972702525c09d80d0a5da900ff2c6676e6 Session-scoped network rules from profiles (#80) | | `v0.3.1` | 2026-04-10 | High | ## Changelog ### New Features * 9973ee16912a867bbe7f3ff81e8ff4146f8d7862 feat: set SSL_CERT_FILE when greyproxy TLS interception is active (#73) ### Bug fixes * b0cec48ae57d5a4aa0e38fc4cdf1738c02395c3b fix: add macOS stub, docs, and Merge() for allowAudio (#72) (#75) * 64ca048ad3db8269350665b936304eef524dc79e fix: expose PulseAudio and PipeWire sockets for audio output in Linux sandbox (#72) | | `v0.3.0` | 2026-04-01 | Medium | ## Changelog ### New Features * 1906877fd3b26cde69fa0ce9fb6d29b0dab32fc6 feat: add credential substitution for sandboxed environments (#63) * 09c75887eaf80de322cfe1e8fbb6e8934bc85138 feat: add ph badge (#68) * aedbfefdf80734a1a064e35c45bd631b9e7db045 feat: add profiles edit command (#64) * ff9836a51bf6202195f7437f4938f2d8f136f7bc feat: beta release channel (#38) * 3da5e8a15d27184c65633d502ee68fa6afbcdeed feat: forward host localhost ports into Linux sandbox (#42) (#43) ### Bug fixes * 2010aaf16f | | `v0.2.8` | 2026-03-20 | Low | ## Changelog ### New Features * bb4f688d312ef7fd391feb11a3fcb745d06ec366 feat: inject keyring credentials for gh/glab profiles via secret-tool (#34) * 35a8efaef18bff0874be2c8b8348fc5c3d4b76ca feat: readme seo optimization (#30) ### Bug fixes * a8bcc60c9d4624714c109fcedacc813d15729b3c fix: block D-Bus session bus to prevent sandbox escape via GVFS (#33) | | `v0.2.7` | 2026-03-18 | Low | ## Changelog ### Bug fixes * 76c07b0ae8b6d1328aad3d54b95f9bdb33422a7a fix: allow TLS certificate verification in macOS sandbox (#29) | | `v0.2.6` | 2026-03-13 | Low | ## Changelog ### Bug fixes * 9615dfa7251b23d70497f28ebfc4fad26914d72c fix: forward signals and drop --new-session for TUI support (#15) * a9aecf3d658ee1156704ccaefedf6558866874fa fix: use file-read-data instead of file-read* in macOS Seatbelt deny rules (#20) ### Other work * 99ae165105d76f3b072d5f5c75ad2c200c66fc97 chore: add logo (#16) | ## Citation - HTML: https://www.freshcrate.ai/projects/greywall - Markdown: https://www.freshcrate.ai/projects/greywall.md - Dependencies JSON: https://www.freshcrate.ai/api/projects/greywall/deps _Generated by freshcrate.ai. Indexes github releases for AI-agent ecosystem packages._