I think the most secure setup, though not so convenient for the average user, is a separate machine with QEMU/KVM. The machine should be isolated adequately, such that even if compromised, it shouldn't be able to cause damage or gain access to other machines. Additionally, a proxy server on your machine or elsewhere could hide sensitive credentials. A helper binary on your computer would then control spawning new disposable VMs with premade images and your SSH key. The images can be lightweight or the desktop version with a remote VNC.
Gondolin[1] is what you are describing. It's made by the same person who made the Pi coding agent and sends all of the agent's bash into a small QEMU vm.
I use vagrant on a seperate machine in a seperate network. The magic of ssh makes it transparent for me, and I feel pretty sure the agents cannot get to stuff that matters.
I am certainly no expert in this space so it is quite possible I'm missing something critical, but what seems to work for me is a Podman image I built on my computer with some basic things I need (using OpenCode, but I imagine any other agent could be used instead):
From there I just run the Podman image from the command line (using a Fish function) that mounts the specific project I'm working on to /workspace. I guess there might be some vulnerabilities with shared kernels and such, but it seems like an easy way to have some isolation.
This is how I started, and then I wanted to bring along creature comforts, not have to re-auth per box (for subscription models), had some skills I usually wanted to bring, wanted slightly different setups for different stacks, sensibly install multiple agents, import git identity (but not credentials), mount other code folders ro but only for certain projects, etc etc, and ended up with a full Docker wrapper.
Ah, that makes sense. I've only recently started playing with this stuff, and I've been focusing a lot of just getting somewhat good at using LLMs for projects while developing my own intuition, so everything I do just uses the mounted project and uv directly. As soon as things get more complex, I imagine I'll end up with a full wrapper as well.
Unrelated: I enjoyed your latest blog entry. I recently starting thinking about how to show the work that is done with AI, and how we talk about it. I haven't come to any major conclusions (I wish!), but your post about the prompting being distinct from the actual work resonates with me. Reminds me somewhat of discussions about the art of photography compared to the art of editing photos as a distinct skill.
- Sandbox on Linux using Docker, Podman, containerd, gVisor, Kata, Firecracker
- Sandbox on Mac using Docker (Docker Desktop or Orbstack), Podman, Apple containers, Seatbelt, Tart (Tart lets you run simulators).
- Network restriction
- Secrets control (file mounts or credentials broker)
- NO ambient data (ENV is replaced with a minimal and local-to-sandbox one, no host-side filesystem access beyond what you explicitly allow)
- Workdir protection: Your work dir is never modified until you apply the changes, either standalone or as a git commit. You can also diff before applying. Git runs SANDBOX side in case the repo has filters.
- Uses copy-on-write if your filesystem supports it (most modern ones do)
- Has built-in support for claude, codex, gemini, aider, and opencode, but you can also launch it in "shell" mode and run whatever you want.
- Supports VS code tunnels, so you can remotely access in VS code if you don't want to use the terminal.
- Layered API (golang) if you want to sandbox other things
- Self-contained binary. No external requirements other than the backends you want to use. Defaults to a ~/.yoloai dir for config/data, but you can point it anywhere.
Hadn't seen yoloai before. I really like new/diff/apply/destroy workflow, that's interesting. For my own needs the two things I was after were multi-repo worktrees (one sandbox spanning several repos, each on with its own worktree) and a single network restricted VM path I fully control, rather than many backends (I started with many backends at first but it was awkward to add network filtering to them).
Lots of overlap though, nice work, and I'll be reading through yours.
It was designed to not require root, and the nftables firewall ended up becoming the only exception. I'm very curious about how you implemented this. Did you find a better way?
(Years ago I had puppet and cobbler provisioning VMs over PXE and then iPXE. FWIU foreman is more actively maintained than cobbler, which is built on Django web framework.)
Vagrant manages VMs and virtual networks, in Ruby.
ansible-molecule creates, converges, and destroys VM(s) and containers, in order to test ansible playbooks and ansible roles in clean build roots.
`podman kube play` over `podman machine` might solve for agents that need multiple VMs/containers
- Podman Desktop can work with the same local k8s setups as Docker Desktop. Though there's certainly more state to manage with k8s for agent session farm, k8s probably has better logging and quotas than a VM management script on each node.
OpenShift on OpenStack is one way to do containers over VMs over bare metal.
Microshift also does container-selinux.
There is not an apparmor policy set for containers?
bwrap and liboverlayfs and libseccomp are almost but not quite containers.
There are stronger container isolation layers that are more like a full or lightweight VM, that might be better for agent sessions: gVisor, firecracker vm, Todo
Cloudflare workerd is the open source part of cloudflare workers, which run lightweight WASM and JS VMs with multi-tenant isolation.
It takes far less resources to run a cloudflare worker than to run a container on cloudflare. So, if it's possible for an agent to operate within a WASM runtime ~container, that's probably more optimal for agent sessions.
Cloudflare/artifact-fs does lazy shallow git clones with a FUSE filesystem.
Thanks! There's no packet firewall at all, no iptables/nftables. On macOS the VM's NIC is a Virtualization.framework file-handle device. The daemon runs gvproxy, which terminates the guest's connections and re-dials them as host sockets, so I filter with an allow-list right before the dial.
One caveat, since you asked about root specifically: that's the macOS path, and it only works thanks to the fd NIC. Firecracker on Linux only speaks a TAP, which needs root, so there I do shell out to sudo, but just for the device. The filtering is still the same userspace allow-list.
Thanks for the pointers!! I'm using passt, didn't know about gvproxy. This is awesome and could provide rootless filtering and firewall for my guest VMs. I'm going to experiment with this!
I still don't understand the point of all these VMs and containers for agents. Just create a separate user on your machine without sudo privileges, switch to it in your terminal and run all the agents you want without it being able to reach your files. What am I missing?
Privilege escalation (e.g. setuid), world-readable files might contain sensitive data, world-writeable files, unrestricted network access (including access to all locally running services)... If you have fully patched system without zero-days and it's configured in a perfect way, then, sure...
Container is quite like a "separate user" except you can explicitly define what it can access.
(Even if all your daemons have good auth, it's now quite common for _apps_ to open listening sockets without much auth...)
If your threat model is that of a malicious agent that will use a 0-day LPE to get root and exfiltrate all of your SSH keys, virtualization makes sense. But then, I wouldn't run such an agent at all, if not specifically in the context of malware analysis.
If you're just concerned about "agent messing up and taking the rules in some markdown files more laxly than I would have", then running it as a seperate user is totally enough...
Threat model is supply chain attacks on unmaintained package repositories like npm, pip and cargo. Everything on my host comes from my Linux distribution's repositories. Everything else gets virtualized with extreme prejudice. I'll even virtualize my Steam games one of these days.
What kind of things are you even doing that the agent would try to perform a kernel exploit on you? I thought sandboxing is just to protect from the agent accidentally clearing your home directory.
Side note, just 6 days ago a Linux VM escape exploit was disclosed.
I'm not worried about the agent at all. The VM is there to prevent it from clobbering files on my real system.
I'm worried about supply chain attacks on npm, pip, cargo and everything else. Don't want to get compromised if I install some stupid package.
My virtdev project has essentially split my computer into two systems: my "real" trusted system with software coming directly from my Linux distribition's repositories, and the VMs for everything else.
> just 6 days ago a Linux VM escape exploit was disclosed
And those installed programs could have vulnerabilities that just a non-root user account could still take advantage of. Perhaps not likely for an LLM to do, but more so if you let them loose on the internet and they end up coming across prompt injection that instructs exactly that :)
There are two sides to this. The first is security, which plenty of comments already covered. The second, and the real one for me: my tests spin up Docker containers, and I was building a Kubernetes tool (argocd/flux style) that needs a real cluster in the sandbox. In a container that means Docker-in-Docker, which always felt hacky. A VM is just a normal Linux box where Docker and k8s run like they do everywhere else. A separate user can't give you that, it shares your one kernel and whatever's already installed on the host.
There is a reason why VMs even are a thing at all: they can offer better security guarantees than alternatives.
A separate user is a good start but LLM tests themselves show they can cleverly bypass guardrails if they figure out they are in a sandboxed environment of some kind, right?
So, I read those test results as: an LLM is less likely to do something crazy if it thinks it has the whole environment to itself.
Codex uses bwrap sandbox which is purely cosmetic - out-of-box it sees your ssh keys and can send it to remote server. It prevents agent from deleting outside files by mistake, but does nothing against malicious activity
that Pi extension, by contrast, gives you a popup whenever an agent tries to access something outside the current working directory and send a network request. that depends on configuration. also if agent tries to ssh into something that will also send a request for access, so child processes are covered
Actually that doesn't just work on all systems and it breaks on others. The alternate user is actually guaranteed to work on all systems and it's built in
If you think those two contexts are equally secure, your machine is incredibly insecure and I hope you run daily incremental full system backups.
You have far too much data in unsecured locations, and you have far too little understanding of what an agent would do, to go "I trust whatever this user account will be doing on my machine".
When firing up agent VMs for my personal projects, I tried to completely separate SSH keys as well. Surprisingly annoying to have multiple keys for, say GitHub, and restrict the agent to use a deploy key.
I saw this project enables ssh-agent forwarding, so my question; is this a non-issue to begin with? Or just not your focus currently.
If the agent is running on your machine, it will suspend when you put your laptop asleep. I prefer using a remote Linux VM to let the coding agent keep working.
I’m quite happy with exe.dev for this. My laptop is asleep upstairs but I have an agent coding away in a browser tab on the tablet I’m using. I could also check on it from my phone.
But it might also be nice if a setup similar to exe.dev were available for self-hosting. I have a Mac Mini that I don’t really use much.
Another +1 to cloud sandboxes (and exe.dev) vs laptop sandbox.
Runs 24/7 completely air gapped from your laptop.
You also want a service proxy so the sandbox can access GitHub or Stripe without keys accessible to the agent. I haven't seen many of the laptop sandbox tools do this, where exe.dev does it out of the box with their "integrations".
I usually drop my own binary agent coding toolkit inside the sandbox so I have things like a code browsing and review right there in every sandbox too.
Like you I also have a Mac Mini I've thought about making into my own 24/7 dev box, but building this vs buying 50 VMs from exe.dev for $20/mo doesn't add up for me.
Which is just a front for systemd-nspawn. It's annoying you have to edit the config.nspawn to mount a directory if you start it with the "shell" command, instead of booting. But apart from that, it's brilliant.
And, make coding harnesses run 20x faster at many multi-processing and file operations by running the coding harness itself inside of Linux instead of MacOS…
Does Codex run its own sandbox? I see that sometimes it runs commands without asking, which then fail for some reason, and it asks to run them again "outside of the sandbox"
The core abstraction seems identical to Fly.io Sprites: give the coding agent its own real Linux machine, put a hard network/isolation boundary around it, then yeet.
Sprites arguably has the better security boundary, since the agent isn’t sitting adjacent to my laptop and home network.
and probably this is why there are so many such projects. With agents, a sandbox is an important tool to have, with LLMs it is easy to vibe-code a new project, so we have dozens of sandbox projects. With so much noise, it is hard for these projects to reach a critical mass, so we may continue to see more and more sandboxes. Most will get a couple of stars on GitHub, but will be used mainly by the author. Unfortunately, we may see the same pattern with any other problem domain, dozens of projects, many vibe coded, many of questionable quality, nothing reaching maturity due to too much noise.
Probably. If I remember correctly, containers on Linux are implemented using the kernel's namespaces. The same ones which became famous for the vulnerabilities they surfaced in previously unexercised code.
> On your own machine that leaves two bad options. You approve every command (and babysit a prompt every few seconds), or you run --dangerously-skip-permissions and hope nothing important is one rm -rf or one leaked token away.
Literally everyone has the option to use a VM - it's built into Windows, UTM on MacOS, Docker on Linux. Yes, "a tool that automatically builds a VM" is useful, but we've had a third option (four, if you count "actually I disagree with the idea that it's only useful if it's fully agentic") from day one.
How many of these are there now, a hundred? We get it, you can run an agent in a VM/container/sandbox. What about configuration management & rollbacks? What about the policy engine? What about dynamic credential management? What about the lethal trifecta? A sandbox is the easiest part and doesn't address the others.
I developed a VM project just like this one. Asked Fable to stress test it and try to break out of containment, and to my surprise it didn't manage to. Fable didn't get downgraded to Opus either, for some reason.
Would have thrown Mythos at it if I had access to it.
I initially thought that was the case: literally the same weights but with an incredibly obnoxious "safety classifier" tacked on. Now I'm uncertain because people on HN have told me it's a different model altogether with further fine tuning for safety or something.
You should conduct the same test with knowingly faulty containment, otherwise the theory that the model is hobbled should probably outrank that it couldn't escape.
That's a good idea. I don't have Fable at the moment, when it comes back I'll ochestrate those tests.
Opus did manage to iron out a lot of fail open bugs during development though, and Fable's like a hundred times more relentless than Opus. I'm not saying it's a definitive result or that my VM firewall thingy is unhackable... I'm just saying it put a smile on my face.
You might prefer byre's simplicity, transparency, and ease of reasoning about: one local container, explicit access grants, readable generated Docker, and a workflow that stays close to normal development rather than introducing a larger sandbox platform. It's also very very easy to eject from if you want to stop using it.
[1](https://earendil-works.github.io/gondolin/
Unrelated: I enjoyed your latest blog entry. I recently starting thinking about how to show the work that is done with AI, and how we talk about it. I haven't come to any major conclusions (I wish!), but your post about the prompting being distinct from the actual work resonates with me. Reminds me somewhat of discussions about the art of photography compared to the art of editing photos as a distinct skill.
- Sandbox on Linux using Docker, Podman, containerd, gVisor, Kata, Firecracker
- Sandbox on Mac using Docker (Docker Desktop or Orbstack), Podman, Apple containers, Seatbelt, Tart (Tart lets you run simulators).
- Network restriction
- Secrets control (file mounts or credentials broker)
- NO ambient data (ENV is replaced with a minimal and local-to-sandbox one, no host-side filesystem access beyond what you explicitly allow)
- Workdir protection: Your work dir is never modified until you apply the changes, either standalone or as a git commit. You can also diff before applying. Git runs SANDBOX side in case the repo has filters.
- Uses copy-on-write if your filesystem supports it (most modern ones do)
- Has built-in support for claude, codex, gemini, aider, and opencode, but you can also launch it in "shell" mode and run whatever you want.
- Supports VS code tunnels, so you can remotely access in VS code if you don't want to use the terminal.
- Full lifecycle support: Launch, attach, stop, restart, wait, one-shot, clone, destroy
- MCP passthrough
- Layered API (golang) if you want to sandbox other things
- Self-contained binary. No external requirements other than the backends you want to use. Defaults to a ~/.yoloai dir for config/data, but you can point it anywhere.
- FOSS
https://github.com/kstenerud/yoloai
> clawk network allow my-project api.example.com
Can you describe the implementation details? How did you implement the firewall without root?
I vibecoded virtdev, a virtual machine orchestration project just like this one:
https://github.com/matheusmoreira/virtdev
It was designed to not require root, and the nftables firewall ended up becoming the only exception. I'm very curious about how you implemented this. Did you find a better way?
Vagrant manages VMs and virtual networks, in Ruby.
ansible-molecule creates, converges, and destroys VM(s) and containers, in order to test ansible playbooks and ansible roles in clean build roots.
podman machine manages VMs:
- podman-container-tools/podman-machine-os: machine image files: https://github.com/podman-container-tools/podman-machine-os/...
`podman kube play` over `podman machine` might solve for agents that need multiple VMs/containers
- Podman Desktop can work with the same local k8s setups as Docker Desktop. Though there's certainly more state to manage with k8s for agent session farm, k8s probably has better logging and quotas than a VM management script on each node.
OpenShift on OpenStack is one way to do containers over VMs over bare metal.
Microshift also does container-selinux.
There is not an apparmor policy set for containers?
bwrap and liboverlayfs and libseccomp are almost but not quite containers.
There are stronger container isolation layers that are more like a full or lightweight VM, that might be better for agent sessions: gVisor, firecracker vm, Todo
Cloudflare workerd is the open source part of cloudflare workers, which run lightweight WASM and JS VMs with multi-tenant isolation.
It takes far less resources to run a cloudflare worker than to run a container on cloudflare. So, if it's possible for an agent to operate within a WASM runtime ~container, that's probably more optimal for agent sessions.
Cloudflare/artifact-fs does lazy shallow git clones with a FUSE filesystem.
- "Show HN: VM-curator – a TUI alternative to libvirt and virt-manager" https://news.ycombinator.com/item?id=46750437
https://news.ycombinator.com/item?id=46825026 ; amla sandbox, agentvm, ARM64 MTE
https://news.ycombinator.com/item?id=46825119 ; container2wasm , vscode-container-wasm-gcc-example ; build WASM containers with Dockerfiles
docker and podman support multiple WASM runtimes for running WASM containers, e.g. for agent sessiobs
Container is quite like a "separate user" except you can explicitly define what it can access.
(Even if all your daemons have good auth, it's now quite common for _apps_ to open listening sockets without much auth...)
If you're just concerned about "agent messing up and taking the rules in some markdown files more laxly than I would have", then running it as a seperate user is totally enough...
Side note, just 6 days ago a Linux VM escape exploit was disclosed.
I'm worried about supply chain attacks on npm, pip, cargo and everything else. Don't want to get compromised if I install some stupid package.
My virtdev project has essentially split my computer into two systems: my "real" trusted system with software coming directly from my Linux distribition's repositories, and the VMs for everything else.
> just 6 days ago a Linux VM escape exploit was disclosed
Well, shit. Details?
All that stuff should also go into the agent user's home directory.
CVE-2026-43499 - https://nebusec.ai/research/ionstack-part-2/
Security is riddled by traps. If you can afford best possible level of isolation, why not do it?
A separate user is a good start but LLM tests themselves show they can cleverly bypass guardrails if they figure out they are in a sandboxed environment of some kind, right?
So, I read those test results as: an LLM is less likely to do something crazy if it thinks it has the whole environment to itself.
You have far too much data in unsecured locations, and you have far too little understanding of what an agent would do, to go "I trust whatever this user account will be doing on my machine".
Seems like both projects are following very similar approaches.
So should be noted it's mostly macOS out of the box with some Linux support if I understand right.
I saw this project enables ssh-agent forwarding, so my question; is this a non-issue to begin with? Or just not your focus currently.
I’m quite happy with exe.dev for this. My laptop is asleep upstairs but I have an agent coding away in a browser tab on the tablet I’m using. I could also check on it from my phone.
But it might also be nice if a setup similar to exe.dev were available for self-hosting. I have a Mac Mini that I don’t really use much.
Runs 24/7 completely air gapped from your laptop.
You also want a service proxy so the sandbox can access GitHub or Stripe without keys accessible to the agent. I haven't seen many of the laptop sandbox tools do this, where exe.dev does it out of the box with their "integrations".
I usually drop my own binary agent coding toolkit inside the sandbox so I have things like a code browsing and review right there in every sandbox too.
https://github.com/housecat-inc/scratch
Like you I also have a Mac Mini I've thought about making into my own 24/7 dev box, but building this vs buying 50 VMs from exe.dev for $20/mo doesn't add up for me.
It is possible to simply not do that. Laptops work just fine as servers. They even have a builtin monitor and UPS.
https://bitrise.io/platform/remote-dev-environments
Bitrise has been doing macOS VMs for CI for 10 years, so we extended the existing product to this use-case.
Which is just a front for systemd-nspawn. It's annoying you have to edit the config.nspawn to mount a directory if you start it with the "shell" command, instead of booting. But apart from that, it's brilliant.
https://github.com/daitangio/take-ai-control
It is docker + vscode friendly. I tested it with major systems (copilot, codex, Claude Code and pi.dev) Comments Wellcome!
Cursor has something similar. I don't know about Claude Code but I assume it does as well since Anthropic has open sourced their own sandboxing tool.
Sprites arguably has the better security boundary, since the agent isn’t sitting adjacent to my laptop and home network.
Literally everyone has the option to use a VM - it's built into Windows, UTM on MacOS, Docker on Linux. Yes, "a tool that automatically builds a VM" is useful, but we've had a third option (four, if you count "actually I disagree with the idea that it's only useful if it's fully agentic") from day one.
Would have thrown Mythos at it if I had access to it.
Opus did manage to iron out a lot of fail open bugs during development though, and Fable's like a hundred times more relentless than Opus. I'm not saying it's a definitive result or that my VM firewall thingy is unhackable... I'm just saying it put a smile on my face.
You might prefer byre's simplicity, transparency, and ease of reasoning about: one local container, explicit access grants, readable generated Docker, and a workflow that stays close to normal development rather than introducing a larger sandbox platform. It's also very very easy to eject from if you want to stop using it.
Did you know that before reinventing the wheel, you can ask LLM your requirements, and they can find the most suited already existing tool ?
There is absolutely nothing wrong with reinventing the whell. It's entirely possible to do it and end up discovering you've made a better wheel.
Tl libraries, no frameworks. Let AI recreate it from scratch … every time