Run installs, coding agents and third-party builds inside an OS sandbox that gets nothing it didn't ask for: no keys, no secret environment, no network unless you grant it. No rewrite.
A dependency, a coding agent, a build step: each one runs with your full authority the moment you start it. Your files, your environment, your network, all inherited, all implicit. One poisoned package is all it takes to read your keys and send them somewhere else before the install even finishes.
Install scripts run on your machine under your account. A single compromised version can read anything you can.
An agent you let run commands runs them as you, with the same reach over your files, tokens and keys.
Every build pulls in code you didn't write, right next to the credentials the job needs to fetch, test and ship.
Wedge puts a boundary between your machine and the code you run on it. Inside it, untrusted software starts with no files, no secrets and no network, and gets back only what the job actually needs. The software runs exactly as before. It just can't reach anything you never handed it.
# wrap any command; it starts with nothing it didn't ask for $ wedge shell npm install profile restricted # rootless namespaces + seccomp env cleared # no tokens, no cloud keys, no .npmrc fs ./project # your code; $HOME stays hidden net deny # grant one host with --net=registry.npmjs.org:443 # the install-time script tries the usual harvest: read ~/.ssh, ~/.aws → not in the sandbox connect exfil host → no route out
Untrusted code sees the project directory you point it at and nothing else. Your home directory, SSH keys and credential files simply aren't inside the boundary to read.
The sandbox starts empty. Cloud keys, tokens and other secrets sitting in your shell never cross into it, so a poisoned install has nothing to harvest.
Off by default. Grant the one destination a job actually needs, and everything else, including an exfiltration server, stays unreachable.
No ambient files, no inherited environment. Your SSH keys, cloud tokens and .npmrc are never placed in the sandbox, so untrusted code can't read what it was never granted.
least authorityEgress is deny-by-default. Name the one registry a build needs, and everything else, including an exfiltration server, is simply unreachable.
deny-by-default egressBuilt on standard rootless Linux isolation: namespaces, seccomp and cgroups. Point Wedge at the software you already run. No manifest, no privileges, no code changes.
runs what you already runIf you install, build with, or hand a shell to software you didn't write, Wedge is for you. Same workflow, minus the ambient authority.
Pull in a dependency you haven't audited without handing its install script your SSH keys or cloud credentials.
→ the postinstall finds nothing to stealGive an agent real access to your project, but not to your home directory, your secrets, or the open internet.
→ it edits your code, not your keysBox third-party build and test steps so a compromised tool can't reach the secrets sitting next to it on the runner.
→ blast radius stays inside the boxWedge is a strong layer, not a force field. Every security boundary has holes: an OS sandbox can't patch a Linux-kernel exploit, and it can't fix a bug inside the program you ran. Least authority is about stacking a slice where the holes don't line up with the others. We'll always tell you what Wedge stops, and what it doesn't.
Wedge is open source and lands later this year. Leave your email and we'll tell you the day it's ready.
We email you when Wedge ships, and not before. No spam, and we'll never sell your address.
Wedge is a security tool, so we hold it to a security tool's standard. If you find a vulnerability, report it to us privately and we'll work with you on a fix and a fair disclosure timeline. Please don't open a public issue for a security bug.