Brig · by osnavi

Run AI coding agents on your own infrastructure — contained by construction, audited beyond doubt.

Brig is a self-hosted gateway that capability-gates every action an agent takes, runs untrusted code in a memory-safe sandbox with no ambient authority, and records everything to a tamper-evident audit trail you can verify. Model-agnostic. Your source never leaves your boundary.

Request early access →

Swiss-rooted · Self-hosted · Memory-safe · Model-agnostic · Provable audit

The problem

AI coding agents are powerful — and dangerous on infrastructure you care about. They've deleted production databases, leaked secrets to the open internet, and been hijacked by prompt injection into running attacker commands. The usual answer — wrap the agent in a container or VM — leaks: shared kernels have CVEs, egress is open by default, and an "audit log" you can't prove wasn't edited isn't evidence. For regulated and sovereignty-minded teams, that isn't good enough.

The difference

Contained by construction, not by policy. Untrusted and agent-generated code runs in a memory-safe runtime with no ambient access to your filesystem, network, or secrets — nothing to misconfigure, no shared kernel to escape. The attack isn't blocked; it's impossible.
Provable audit, not just logs. Every action — allowed, denied, sandboxed, approved — is written to an append-only, tamper-evident record you can cryptographically verify and replay. Show an auditor exactly what the agent did, and prove the record wasn't altered, even by you.
Yours, end to end — and sovereign. Self-hosted; your source never leaves your boundary. Model-agnostic: run a local open model for full confidentiality, or a vendor API under your egress controls — insulated from any single vendor's price, availability, or terms. Swiss-rooted and independent: our own infrastructure runs on Swiss hosting, not a US hyperscaler.

How it works

Your agent — Claude Code, Cursor, OpenCode, or your own — connects to Brig as its tool layer. Every tool call flows through a deny-by-default policy: capability-gated, egress-controlled, optionally human-approved. Code the agent wants to run executes in the memory-safe sandbox, bounded and escapeless. Every decision lands in the tamper-evident audit trail. Nothing reaches your real systems except what you allowed — and you can prove it.

Who it's for

Teams who can't simply trust an AI agent — or a foreign cloud vendor's promise: regulated finance and healthcare, the public sector and sovereignty-minded organizations, privacy-first engineering teams, and serious self-hosters who want provable control instead of hope.

Brig is
self-hosted · memory-safe · model-agnostic · your-source-stays-yours · auditable · Swiss-rooted.

Brig isn't
a cloud service that sees your code · another container wrapper on a shared kernel · an AI model. Brig doesn't replace your agent — it makes it safe to run.

Status

Brig is in active development, onboarding a small group of design partners. If you're running — or deliberately blocking — AI coding agents in a high-assurance environment, we'd like to talk.

Request early access →