Show HN: Code Airlock: Run Claude Code and Codex in Disposable MicroVMs Code Airlock, a new open-source tool, lets developers run coding agents like Claude Code and Codex inside disposable microVMs to prevent direct host access while allowing agents to install packages and run tests autonomously. The tool wraps Docker Sandboxes to provide a read-only host repo and commit-based review workflow, aiming to balance agent autonomy with security. Run Claude Code, Codex, OpenCode, or another coding agent in a disposable microVM, then review its work as normal git commits. Code Airlock is a small wrapper around Docker Sandboxes https://docs.docker.com/ai/sandboxes/ for people who want to let coding agents work with fewer prompts without giving them direct access to the host machine. Coding agents are most useful when they can install packages, run tests, inspect failures, and iterate without asking before every command. That is also exactly when you want a stronger boundary than process-level deny rules. Code Airlock keeps the workflow simple: | You want | Code Airlock does | |---|---| | Run agents unattended | Starts the selected agent inside a Docker Sandbox microVM | | Keep your local repo clean | Uses clone mode, so the host repo is mounted read-only | | Review everything first | Pulls sandbox commits back with fetch , diff , and merge | | Limit network access | Can apply a configurable allowlist for model APIs and package registries | | Switch agents | Uses AGENT=claude , AGENT=codex , AGENT=opencode , and other Docker Sandbox agents | Coding agents are most effective when they can use the tools needed to finish the task: install dependencies, inspect generated files, run test suites, start local services, read logs, and iterate on failures. Over-constraining every shell command often turns the agent into a slower autocomplete loop. Code Airlock moves the main safety boundary below the agent. The agent can work with more autonomy inside a disposable microVM, while the host repo stays read-only and the resulting changes still come back as commits for review. You can. Code Airlock is intentionally a thin wrapper around Docker Sandboxes, not a replacement for it. Use sbx directly when you want full control over sandbox lifecycle, policies, kits, and one-off experiments. Use Code Airlock when you want the common coding-agent loop already wired together: - clone mode by default - stable sandbox naming per repo - one-command agent startup - repo-local AGENTS.md scaffolding fetch , diff , review , and merge commands for the sandbox branch- a documented credential and network-policy path for Claude Code, Codex, and OpenCode The point is to make the safe workflow boring and repeatable while still leaving sbx available underneath. Agent harness rules are useful, and Code Airlock is meant to work with them. Codex approvals, Claude Code permissions, OpenCode settings, AGENTS.md , and custom prompts all help shape what the agent should do. Those rules are still policy inside the agent process. They do not give you a disposable VM, a read-only host repo, a separate clone for agent commits, or a host-side review step before changes land. They also do not provide a shared wrapper for Claude Code, Codex, OpenCode, and other agents. Code Airlock treats harness rules as the first layer and Docker Sandboxes as the boundary underneath it. The agent can be configured to behave well; the sandbox limits what happens when it does not. Install Docker Sandboxes first. On Linux: curl -fsSL https://get.docker.com | sudo REPO ONLY=1 sh sudo apt-get install docker-sbx sudo usermod -aG kvm $USER newgrp kvm sbx login On macOS and Windows, follow Docker's official install guide https://docs.docker.com/ai/sandboxes/get-started/ . Install Code Airlock with npm: npm install -g code-airlock Or with Homebrew head-only formula until a tagged release exists : brew tap trivo25/code-airlock https://github.com/Trivo25/code-airlock brew install --HEAD code-airlock Once the CLI is installed, it can walk you through any missing prerequisites: code-airlock setup guided install; shows each command and asks before running it code-airlock doctor checks only, changes nothing Or use the standalone shell installer: curl -fsSL https://raw.githubusercontent.com/Trivo25/code-airlock/main/install.sh | sh The shell installer also adds a short codelock alias when that command is not already taken: codelock up codelock status codelock attach The npm package intentionally installs only code-airlock , because codelock is already an npm package name. Add a personal shell alias if you want the shorter command after npm install: alias codelock=code-airlock Or clone it manually: git clone https://github.com/Trivo25/code-airlock.git cd code-airlock ln -s "$PWD/code-airlock" ~/.local/bin/code-airlock The installer writes to ~/.local/bin by default. Choose another location with: curl -fsSL https://raw.githubusercontent.com/Trivo25/code-airlock/main/install.sh | PREFIX=/usr/local/bin sh Skip or rename the short alias: curl -fsSL https://raw.githubusercontent.com/Trivo25/code-airlock/main/install.sh | CODE AIRLOCK INSTALL ALIAS=0 sh curl -fsSL https://raw.githubusercontent.com/Trivo25/code-airlock/main/install.sh | CODE AIRLOCK ALIAS=calock sh The shortest loop, one command in and ordinary Git review out: code-airlock run "add pagination to the users endpoint and run the tests" code-airlock diff code-airlock merge run starts the sandbox like up and hands the task to the agent's non-interactive mode: -p for Claude Code, exec --dangerously-bypass-approvals-and-sandbox for Codex, and run for OpenCode. Other agents receive the task as a plain argument. Already using a coding agent? Send it this: Install Code Airlock in this environment, then run its first-run checks. Use npm when available: npm install -g code-airlock If npm is unavailable, use: curl -fsSL https://raw.githubusercontent.com/Trivo25/code-airlock/main/install.sh | sh After install, make sure code-airlock is on PATH, then run: code-airlock doctor code-airlock --dry-run up Do not start a real sandbox or change network policy unless I explicitly ask. Run it from the repo you want the agent to work on: cd ~/code/my-project code-airlock doctor check sbx, virtualization, login, and git code-airlock --dry-run up preview the sbx commands without running them code-airlock init optional: add starter AGENTS.md instructions code-airlock up start Claude Code in a sandbox code-airlock --seed-config up optionally copy user-level agent customizations code-airlock status see this repo's sandbox and tmux session On a remote server, keep the agent running after your SSH connection closes: code-airlock --tmux up detach with Ctrl-b, then d code-airlock attach reattach later Use another agent: code-airlock --agent codex up code-airlock --agent opencode run "fix the build" The AGENT environment variable and the sandbox.conf setting still work; the --agent flag wins when both are set. When the agent has made changes, review them from your host: code-airlock fetch code-airlock diff code-airlock review optional: open a visual diff code-airlock merge Prefer a pull request over a local merge: code-airlock pr push the sandbox branch and open a PR code-airlock pr main feature/foo explicit base and branch name The push happens from the host with your credentials, so the sandbox still needs no GitHub access. pr uses gh when it is installed and prints the GitHub compare URL otherwise. The default branch name is code-airlock/