run coding agents in localised airlocked microVMs

i built code-airlock, an open-source tool for running AI coding agents inside disposable microVMs

the problem I kept running into was the tradeoff between approving every command manually and losing most of the time savings, or disabling command prompts and trusting the agent with my actual machine. I tried the second path too often and regretted it.

code-airlock runs the agent inside a disposable microVM using Docker Sandboxes. the agent works on a clone of the repo, so it can install dependencies, run builds, start containers, and modify files inside the sandbox without direct access to my host filesystem or credentials.

when the agent finishes, I review the diff and pull back only the changes I want!

the design choice was to isolate the whole environment instead of maintaining a long list of deny rules. Deny rules are brittle with coding agents because agents are goal-driven and will often route around constraints when trying to finish a task. A microVM gives a clearer blast radius.

Current support:

- Claude Code

- Codex

- OpenCode

- few others

Requirements:

- Docker Sandboxes CLI

- Hardware virtualization: Apple Silicon or KVM

reddit.com
u/Trivo_ — 19 hours ago
▲ 7 r/codex+1 crossposts

i built a sandbox helper so i can let codex run without babysitting it :)

i kept running Claude Code two bad ways: approving every command and losing all the time i saved or running with permissions off and hoping it didn’t wreck my machine (it did, so many times lol). code-airlock is what i landed on!

it runs the agent in a disposable microVM (on Docker Sandboxes) with permissions off. inside, it can install stuff, run builds, spin up its own containers, but it can’t touch my host or my credentials. it works on a clone of the repo, so i review the diff with git fetch before anything merges. network is locked to an allowlist.

i used a VM instead of deny rules because agents route around deny rules once they’re set on finishing. there are writeups of one switching off the sandbox meant to contain it. a VM boundary it can’t get out of, so i’m fine giving it free rein inside.

works with Claude Code, Codex, and OpenCode. MIT, free. needs the Docker Sandboxes CLI and hardware virtualization (Apple Silicon or KVM)

Claude Code wrote most of it, the script and the README, and i used it to poke holes in the security model as i went.

still rough. main caveat: the network filter goes by hostname and doesn’t inspect TLS, so a wide allowlist entry is still a leak path. happy to hear where it breaks. but it’s been helpful so far - me and my colleagues have been using it

repo: https://github.com/Trivo25/code-airlock

u/Trivo_ — 3 days ago
▲ 4 r/Bangkok+1 crossposts

i made a small guide to cafés/work spots in Bangkok for laptop work

(yes, another one of these)
i’ve been making a small map of cafés/work spots in Bangkok that are good for laptop work (WiFi, outlets, seating, etc)

here it is: https://workspots.city/

i’m trying to keep it useful and respectful to the cafés, not encourage people to occupy tiny cafés for hours if they’re not set up for that

would love local feedback: what spots should I add, remove or correct? this is supposed to be a living "document", just helping people out (and maybe some smaller cafes as well!)

u/Trivo_ — 2 months ago