Per-project devbox for running AI agents safely on any fresh Ubuntu ARM64 machine.
On a fresh Ubuntu machine, open a shell as a regular user (not root) and run:
curl -fsSL https://raw.githubusercontent.com/maoosi/devbox/main/install.sh | bashThe installer asks for the repo URL, picks a secrets manager, and walks you through pasting scoped tokens. At the end it prints the command to reconnect.
Devbox runs on any Ubuntu machine, but the cleanest setup is one Orbstack VM per repo on a Mac:
- In the Orbstack app, create a new machine: Ubuntu, latest, arm64, name
devbox-<project>, Isolate machine, Network Isolation. - Open its shell, run the install command above.
- Reconnect later with
ssh devbox-<project>@orb, thencd ~/<project>(the clone folder is named after the repo).
Plain SSH or any other Linux host works too — the install steps are identical.
| ✨ | 📦 |
|---|---|
| Per-project isolation | one Ubuntu machine per repo, so clone, PAT, and secrets stay scoped to that single project |
| Fresh Ubuntu bootstrap | starts from a clean Ubuntu host and sets up the devbox in one install flow |
| Git safety mode | read-only or write, chosen at install; write mode enforced by a pre-push hook |
| Agent guardrails | deny rules for risky commands like git push --force, git reset --hard, npm publish, … |
| Supply chain defaults | npm/pnpm/yarn/pip/uv/cargo aliased through Socket Firewall; ignoreScripts = true globally |
| Agent workflow defaults | writes project-scoped ~/AGENTS.md conventions and wires a GitHub MCP server |
| Core runtimes | Bun, Node LTS (via fnm), pnpm |
| GitHub tooling | gh CLI with a repo-scoped fine-grained token flow |
| ✨ | 📦 |
|---|---|
| Agent CLIs | Claude Code |
| Agent tools | agent-browser, extra skills |
| Dev tools | Vite+ |
| Secrets manager | Doppler or Infisical (one project, read-only token flow) |
bun install
bun src/cli.ts --dry-runWalks the prompts and prints every command/file the installer would run, without touching your system.
bun installis not wrapped by Socket Firewall. Prefer pnpm where you can.ignore-scripts=truebreaks packages that legitimately need scripts (sharp,puppeteer, …). Per-package escape:pnpm install --ignore-scripts=false <pkg>.- If
socket.devis unreachable,sfwfails closed. Emergency bypass:command pnpm install …(orcommand npm install …) skips the wrapper for one invocation. sfwonly scans install-like subcommands. Runtime commands (pnpm run,cargo build,npx) bypass it so tools they spawn (Doppler,gh) hit the network directly.