Find a file
Evgeny Boger d280d78ba2 fix(launcher): pre-approve project folder + always pass --dangerously-skip-permissions to claude
Two more bypasses the in-VM Claude was tripping on:

- "Do you trust the files in this folder?" prompt. Lives in
  ~/.claude.json under `projects.<absolute-path>.hasTrustDialogAccepted`.
  secrets::refresh now takes the in-guest project path (the same one
  bind-mounted at the cwd's host path) and pre-writes the trust flag
  + project onboarding flag for that path. Re-uses the existing
  ~/.claude.json symlink wiring from the previous commit.

- `--dangerously-skip-permissions` was not being passed to the in-VM
  claude. New Agent::default_args() returns the per-agent default
  argv prefix; for Claude that's the dangerous-skip flag. The launcher
  prepends it before the user's own args, deduping if the user already
  passed it explicitly. Same flag the original Bash agent-vm used; the
  microVM is the sandbox so the in-VM "are you sure?" prompt adds no
  protection and breaks agent-mode flows.

Codex / OpenCode get an empty default_args slice; the dangerous-mode
equivalents for those agents already land via Codex's config.toml
written in the previous commit (sandbox_mode = "danger-full-access",
approval_policy = "never").
2026-05-18 01:00:53 +03:00
crates/agent-vm fix(launcher): pre-approve project folder + always pass --dangerously-skip-permissions to claude 2026-05-18 01:00:53 +03:00
images fix(image): restore the apt cache cleanup lines that the last commit dropped 2026-05-17 19:26:03 +03:00
vendor chore: bump vendor/microsandbox to pick up patched msb version tag 2026-05-18 00:38:59 +03:00
.gitignore Phase 0: scaffold microsandbox-based rewrite 2026-05-17 17:05:07 +03:00
.gitmodules Phase 0: scaffold microsandbox-based rewrite 2026-05-17 17:05:07 +03:00
ARCHITECTURE.md Phase 4: file-backed secrets + OAuth refresh interception 2026-05-17 23:38:40 +03:00
Cargo.lock Phase 3: host-rooted Claude/Codex credentials never enter the VM 2026-05-17 21:21:28 +03:00
Cargo.toml Phase 0: scaffold microsandbox-based rewrite 2026-05-17 17:05:07 +03:00
LICENSE first commit 2026-01-28 01:15:09 +01:00
PLAN.md Phase 4: file-backed secrets + OAuth refresh interception 2026-05-17 23:38:40 +03:00
README.md Phase 4: file-backed secrets + OAuth refresh interception 2026-05-17 23:38:40 +03:00

agent-vm (microsandbox rewrite)

Work-in-progress rewrite of agent-vm on top of microsandbox. The goal is sub-second cold-start microVMs for AI coding agents (Claude Code, Codex CLI, OpenCode) with host-rooted credentials and no in-VM proxy.

This is a long-running rewrite. The current state lives on rewrite-microsandbox. The original agent-vm continues to live on main until v1 of the rewrite ships.

Where to look

  • PLAN.md — phased roadmap, what's in/out of v1.
  • ARCHITECTURE.md — running record of design decisions, filled in as each phase lands.

Status

  • Phase 0 (scaffolding): done.
  • Phase 1 (base OCI image + agent-vm setup): done.
  • Phase 2 (launcher MVP — claude/codex/opencode/shell): done; live API smoke deferred to Phase 3.
  • Phase 2.x (RUST_LOG, host-path mounting, pull progress bar, agent-vm pull + update-available banner, registry auto-recovery): done.
  • Phase 3 (host-rooted secrets via microsandbox TLS intercept): done. Real Claude/Codex tokens stay on the host; the in-VM agent only sees placeholders. See ARCHITECTURE.md "Phase 3" for the two-layer placeholder dance.
  • Phase 4 (token-refresh semantics: rebuilt msb, file-backed secrets, OAuth-endpoint interception): done. Long sessions survive host token rotation without manual intervention.
  • Phase 5 (fast-launch via detached mode): deferred — see PLAN.md; snapshots don't help launch time, detached mode is a product-shape decision.
  • Phase 6 (distribution + polish + docs): pending.

Building

git submodule update --init vendor/microsandbox
cargo build -p agent-vm

Building the base image

./target/debug/agent-vm setup        # build + verify in a throwaway sandbox
./target/debug/agent-vm setup --no-verify

Requires Docker on the host. A registry:2 container named agent-vm-registry will be created on first run and bound to 127.0.0.1:5000.

Running an agent

cd your/project
agent-vm claude        # or codex / opencode / shell
agent-vm claude -- -p "fix the lint errors"  # forward args to the agent

# Smoke / scripted use:
agent-vm shell -- -c 'ls /workspace && claude --version'

The first arg after the subcommand is treated as input to the agent. Use -- if any forwarded arg starts with - (otherwise clap will try to claim it). Project state lives in ~/.local/state/agent-vm/<hash>/ and survives between launches. Phase 2 supports auth via the ANTHROPIC_API_KEY / OPENAI_API_KEY env vars only; the OAuth-refresh path lands in Phase 3.

Actually running a sandbox requires the microsandbox runtime prerequisites (Linux with KVM, or macOS Apple Silicon). See microsandbox's README.