Public Alpha · macOS · Bun workloads · Free to use
CapaKit is a free runtime and CLI toolkit
for building
AI app Kits.
When your agent builds, tests, or runs a Kit,
it happens in isolation, not on your host.
# Install CapaKit:
$curl -fsSL https://capakit.com/install.sh | sh
[✓] macOS releases are signed and notarized; shell installer verifies the CapaKit signature.
# Run a Kit straight from GitHub:
$capakit run https://github.com/capakit/hello-world-demo-kit
[✓]App [hello-world] is running
[i]runtime: [ephemeral seatbelt sandboxes on macOS]
[i]host network endpoints:
protocol=[mcp] endpoint=[/mcp] url=http://127.0.0.1:50958/mcp
press Ctrl-C to stop
AI apps quietly become your responsibility. Most tooling only sandboxes the runtime, completely ignoring the risky, messy parts before it.
Leaked Secrets Baked directly into code and configuration files.
Broad Permissions Agents operate with full access to your host machine.
Unsandboxed Builds
Arbitrary scripts executing during npm install or builds.
A Kit is plain source code plus a manifest. It speaks MCP, A2A, and OpenAI-compatible protocols, and anyone can run it with one command, fully sandboxed.
Use capakit to create a Kit called invoice-helper.
I want a web UI where I pick an invoice from my invoices folder and see extracted fields.
First ask me to confirm the details are correct, then use the HubSpot API client to enter them.
Let my agents call the same workflow over MCP , and expose it as a Codex skill I can install.
Add tests and clear run instructions.
Web UI pick & review invoices from a folder
MCP endpoint the same workflow, callable by your agents
Codex skill installed with a single flag
Sandboxed
Secrets Files Network
A Kit is the standardized unit for AI apps. Here's exactly what's inside.
hello-world-demo-kit/
Agent guidance
Capability manifest
Capability checks
Workloads
workloads/
hello workload source
Project summary
Managing secrets, permissions, and blocking unwanted network access.
Handled by default and tailored to each app's minimal needs.
Making sure code, logic, and agent flows work reliably end-to-end.
Structured testing, from single-workload checks to full integration tests, all run in isolation.
Wiring up network endpoints, resolving dependencies, and manual installs.
Point CapaKit to a GitHub source, .capakit archive, or unpacked Kit folder.
Sandboxing the entire app lifecycle is what makes sharing possible. You can run a stranger's Kit from GitHub with one command, without trusting them, their dependencies, or their install scripts
One command flow. Sandboxed from build to run. No setup ceremony.
Built with CapaKit. Runnable with a single command straight from GitHub.
Submit a PR to feature your Kit in the official Registry and share it with the community.
Local-first You build it, you own it. You can run it anywhere any time, even offline.
Agent-native Designed from the ground up to be driven, used, and understood by coding agents.
Isolation by default Isolation is treated as a first-class concern, not an afterthought.
CapaKit starts and runs workload commands inside native macOS Seatbelt sandboxes generated per command. A Kit is also more like Docker-Compose as in it orchestrates multiple services and chooses what to expose to the host. Kits can import other Kits allowing you to reuse higher level components and build complex apps. It also natively speaks MCP, A2A, skills, and OpenAI-compatible APIs, which containers don't.
CapaKit takes into account the full app lifecycle: dependency installs, builds, tests, and runs. Your agent edits source on the host as usual, but it never needs to run installs or app code with host access, it knows how to use CapaKit to perform that same action inside a sandbox.
Each workload runs (when in "managed mode") as a single-use sandboxed process: no inherited host environment, filesystem access limited to its workload root and declared mounts, no IP networking on start by default, and workload-to-workload traffic limited to manifest-declared connections over mTLS. Secrets are resolved on demand via RPC, never injected into the workload's environment or source. More details here
macOS only, Bun workloads only, and some workloads (e.g. Chromium-based) don't run under the current sandbox yet.
The CapaKit runtime and CLI toolkit is free to use. We're building add-on products for teams that need to collaborate on Kits safely.
The runtime and CLI are not open source today. We know trust has to be earned, so we sign and notarize binaries, document the Seatbelt policy, and allow auditing via `CAPAKIT_DEBUG_SEATBELT_POLICY=1`. See our [Security](./security.html) page for details.
By starting with a smaller support surface we plan to add features incrementally while also keeping an eye on security and usability.
Yes, CapaKit instructs agents to use its sandboxed facilities but ultimately agents have their own sandboxing/approval mechanics.
Free to use. Signed and notarized. No daemon, no Docker.