Recent related Ask HN: How are you sandboxing coding agents? (46 points, 25 days ago, 32 comments) https://news.ycombinator.com/item?id=46400129

Standard VMs are definitely overkill for per-agent instances due to the resource overhead.

If you need strict isolation for untrusted code but want container-like speed, look into Firecracker (MicroVMs) or gVisor (userspace kernel).

Firecracker is what AWS Lambda uses. It strips down the kernel to the bare minimum, so you get VM-level isolation with millisecond boot times and a tiny memory footprint. It’s essentially the sweet spot between "insecure" Docker and "heavy" full VMs.

Currently I'm using docker-ized git worktrees so I can dangerously skip permissions. It's not great. Worktrees are not the way to go and Claude Code treats docker as a second-class citizen (e.g., going through the MacOS auth flow deletes the linux-based auth tokens you need to mount in the container)

Using https://github.com/aperoc/toolkami which just spins up a worktree with pre-configured Docker containers.

I use a physically separate system.

i.e. DEV and PROD are completely airgapped.

Orbstack VM.