Show HN: YOLO mode, not on your laptop Voidx, a new agent-and-git-first remote sandbox dev environment, launched to provide a secure, cross-device platform for running coding agents in cloud VMs. The tool integrates OpenAI's Codex and supports ephemeral workspaces booted from Git repos, enabling users to safely automate complex development tasks like rewriting legacy Python 2.7 systems to Python 3.14 and Django 6. Voidx addresses security risks highlighted by incidents where LLMs like Fable 5 ran commands with excessive privileges outside sandboxes. YOLO mode, not on your laptop It’s 2026, and you have plenty of reasons to put your agents in a cloud sandbox VM. Take security. According to this https://simonwillison.net/2026/Jun/11/fable-is-relentlessly-proactive/ post, Fable 5, the most advanced LLM in the world, ran commands with alarming privileges OS screenshots, among other things to fix a bug that came down to two lines of CSS. As Simon Willison puts it, “Running coding agents outside of a sandbox has always been a bad idea.” Another reason: you don’t need this $199 Precision Claw. You may have heard of exe.dev, Sprites, or shellbox.dev. Remote dev environments like these made the rounds a few months back. You manage Sprites through a CLI tool; the other two exe.dev, shellbox.dev picked SSH, which is cool. But as k9s is to kubectl and lazygit is to git, a proper TUI / UI makes you faster. That’s voidx: an agent-and-git-first remote sandbox dev environment across your devices. Here’s a quick example: spinning up an interesting Git project in a VM. Prompt: Set up a demo for https://github.com/henrygd/beszel https://github.com/henrygd/beszel on localhost:3000 Worth noting: the asciinema recording itself was also edited by gpt-5.5 in Voidx — done in a single prompt. Codex, uncut In a recent post https://openai.com/index/codex-for-every-role-tool-workflow/ , OpenAI says Codex started as a tool for software development, but these days people in all kinds of roles use it to get their work done faster. No surprise there: an agent can always do more than a bare LLM. On top of that, Codex knows its way around Linux: many skills depend on purpose-built Python scripts or pdftotext. Codex is superb, as long as you don’t let it write your frontend. We built Codex into voidx: a Codex pane on the left, a terminal on the right, plus a HUD. That means your ChatGPT subscription works here as-is: with your consent, voidx injects your Codex credentials into your sandbox VM for that session. You can run your favorite vibe coding tools in the terminal too. Git, Git, Git We designed the voidx sandbox to be ephemeral from day one you can’t keep a VM’s disk today; we’ll ship that soon . That’s fine. Modern software development can’t live without Git. We pull. We edit. We push. It’s second nature by now. So you can boot voidx from a git repo. We can show this with a story. At the daily 4:30 p.m. standup, your boss tells you he wants to revive a fifteen-year-old business system written in Python 2.7. Your vision goes dark for a second. Back at your desk, you stare at this museum piece of a repo, unsure where to start. The last commit is from 2011, and the message says “fix bug”. Ugh. You might as well let an agent take the first crack at it. You run voidx start git@laundry.inc:archived/old.git to spin up a remote VM and clone the whole project. You don’t expect much, but you’ve been falling behind on the company token-burn leaderboard, so you write: /goal Rewrite the whole repo to Python 3.14 & Django 6. Install Python 2.7 and get the old system running first. Write massive tests to ensure old and new behave exactly the same. Run the rewritten project on 0.0.0.0:1234 Whatever happens, happens. You close the MacBook, drop it in your bag, and head home. The next morning, on a packed rush-hour subway, you remember the whole mess and open voidx mobile on your phone. The agent swears up and down that the work is done. 412 test cases, 409 passing, 3 skipped. The three skipped tests all touch round : Python 2 rounds half away from zero, Python 3 uses banker’s rounding. The agent asks: I noticed the skipped tests touch the financial module — this is an important consideration Would you like me to preserve the legacy rounding behavior to ensure full consistency with the original system? Just let me know how you’d like to proceed 🚀 “Keep it,” you tell the agent. You step out of the station with all 412 tests passing. Back at your desk, you try /expose http 1234 1d and open the URL. It looks legit. You half-ass your way through a few features and each one works. Huh. You tag it rebirth, push, and toss the link into the business team’s Slack channel: “mind testing this?” Free QA. Beautiful. Everything else - The classic case for a cloud dev environment: you’re on a weak connection, or somewhere a laptop is awkward, and inspiration strikes. Hand the task to an agent from the phone app, then pick the work back up at your desk. The sandbox stays in full sync between your phone and your computer. - Slash commands: handy shortcuts like /commit , /push , /yeet /commit & /push , /upload , /forward , /expose , and /unexpose smooth out the dev loop. - Speech recognition on mobile runs on the device, start to finish. - It runs on MicroVMs. 2026 is the year of LPE Local Privilege Escalation . Bugs like DirtyClone, Copy Fail, Dirty Frag, and Fragnesia threaten https://github.com/avevad/copyfail-docker-escape sandbox setups that share a kernel. A VM gives you stronger isolation. You can verify it on voidx in seconds Security A sandbox is not a magic incantation you chant to make every security problem disappear. You should know what happens under the hood. Picture the agent inside the sandbox: it runs as root. As a rule, even an agent gone rogue can’t break out of the sandbox, but it can read every file inside it. Assume the agent will read anything you pass in: the filesystem, process environment variables, and so on. The sandbox needs to push and pull. If we uploaded your git SSH private key into it, the agent could read the key with one cat . ssh-agent bails us out with signature forwarding: the private key stays on your machine, and your local ssh-agent signs for the sandbox over the wire to authorize it. Compared with handing over the raw key, though, this has a downside: you have to stay connected to the sandbox to keep signing for it. That’s engineering. Much of the time you can’t have both security and convenience. We upload one more secret into the sandbox: the key you use to call your model for a ChatGPT subscription, that’s the access token in auth.json . Unfortunately, we haven’t found a good fix for this one. Pricing voidx and voids.run are commercial products. The short version: you pay for the cloud resources you use, meaning the CPU time you burn $0.045/vCPU/hr plus the memory you reserve $0.01/GB/hr . On a subscription $20 or $200 a month you get 2.5x the usage credit $50 or $500 a month . One subscription works across the voids.run cloud platform, voidx included. It even comes in under DigitalOcean. Take a light CPU load: a 1-core / 2 GB box averaging 10% CPU, with 2 GB reserved, costs $17.64 a month at API prices. On a subscription, that works out to $7.06 a month, under DigitalOcean’s $12. Voids.run voidx sits on top of voids.run. We want voids.run to make agent development simpler. We ship an API and an SDK Rust for now, with Python, TypeScript, and Go coming . We spent a long time on the design and polish, but both products are in their early days. We want your suggestions: come find us on Discord https://discord.gg/TGdRhDEDb to talk things through or report problems.