GhostVM for AI Agents

AI coding agents need to install packages, run builds, execute tests, and modify files. Give them their own Mac — isolated, disposable, and under your control.

The Agent Problem

AI coding agents like Claude, Cursor, Devin, and others are increasingly autonomous. They don't just suggest code — they execute it. A typical agent session might:

• Clone a repository and run npm install
• Install system dependencies via brew
• Execute build scripts and run tests
• Modify dozens of files across a codebase
• Run arbitrary shell commands to debug issues

This is powerful, but it's also dangerous. When an agent runs on your Mac with your user privileges, it has access to everything you do:

• Your SSH keys and cloud credentials
• Your browser sessions and cookies
• Your password manager database
• Every file on your system

Why Containers Don't Work

Docker is a common suggestion for isolating agent workloads. But on macOS, containers have fundamental limitations:

Containers Run Linux, Not macOS

Docker on Mac runs a Linux VM under the hood. Your containers execute inside that Linux environment. This means:

• No macOS apps — can't run Xcode, Swift, or any native Mac software
• No GUI — agents can't interact with visual interfaces
• No Apple frameworks — no Core Data, SwiftUI, Metal, or any Apple SDK
• Different architecture behavior — Linux ARM64 is not the same as macOS ARM64

Many Development Tasks Require macOS

If an agent needs to:

• Build an iOS or macOS app
• Run the iOS Simulator
• Test macOS-specific behavior
• Use Homebrew packages that don't have Linux equivalents
• Work with macOS system APIs

...then containers are not an option. The agent needs a real macOS environment.

Container Isolation Is Weaker

Even for Linux workloads, Docker containers share a kernel with each other. A kernel exploit in one container can affect all others. Containers are designed for deployment density, not security isolation.

Why macOS Sandboxing Doesn't Help

macOS has a powerful sandboxing system — it's what keeps App Store apps from accessing your files without permission. But this doesn't apply to command-line development:

Terminal Runs with Full User Privileges

When an agent executes commands via Terminal, zsh, or any CLI tool, those commands run as your user. They have access to:

• ~/.ssh/ — your SSH keys
• ~/.aws/, ~/.config/gcloud/ — cloud credentials
• ~/Library/ — app data, keychains, browser profiles
• Everything else your user account can access

No Sandbox for npm/pip/brew

Package managers don't run in sandboxes. When an agent runs npm install, every postinstall script executes with full user privileges. There's no prompt, no permission dialog, no protection.

You Can't Sandbox Development Tools

Development inherently requires broad system access: reading files, writing files, executing binaries, accessing the network. A meaningfully sandboxed development environment would be too restrictive to use.

The VM Solution: One Mac Per Agent

The answer is to give each agent its own complete Mac environment — a virtual machine running macOS. This provides:

Real Kernel Isolation

Each VM runs its own macOS kernel. Even if malware gains root access inside the VM, it cannot escape to your host without exploiting a hypervisor vulnerability — a much higher bar than user-level compromise.

Full macOS Compatibility

Unlike containers, a macOS VM can run everything: Xcode, iOS Simulator, Swift, SwiftUI, Homebrew, any native Mac app. The agent has a complete development environment.

Disposable and Reproducible

VMs can be cloned instantly (thanks to APFS copy-on-write), snapshotted at any point, and deleted when done. If an agent makes a mess, revert to a clean state in seconds.

The GhostVM Agent Workflow

Here's how to set up isolated environments for AI agents using GhostVM:

1. Create a Template VM

Set up a macOS VM with your development tools installed. This becomes your template for agent workspaces.

# Create a VM with development-ready specs
vmctl init ~/VMs/agent-template.GhostVM --cpus 4 --memory 8 --disk 64
vmctl install ~/VMs/agent-template.GhostVM

# Start it and install your tools
vmctl start ~/VMs/agent-template.GhostVM

# Inside the VM: install Xcode CLI, Homebrew, Node, Python, etc.
# Then shut down and snapshot

vmctl stop ~/VMs/agent-template.GhostVM
vmctl snapshot ~/VMs/agent-template.GhostVM create ready

2. Clone for Each Agent Session

When an agent needs a workspace, clone the template. APFS copy-on-write means the clone is instant and uses minimal disk space.

# Clone the template (instant, ~0 initial disk overhead)
# In GhostVM GUI: right-click VM → Clone

# Or duplicate the bundle in Finder
cp -c ~/VMs/agent-template.GhostVM ~/VMs/agent-session-001.GhostVM

3. Start with Limited Access

Start the agent's VM with only the folders it needs, mounted read-only when possible.

# Share only the project folder, read-only
vmctl start ~/VMs/agent-session-001.GhostVM \
  --shared-folder ~/Projects/my-app --read-only

# Or read-write if the agent needs to modify files
vmctl start ~/VMs/agent-session-001.GhostVM \
  --shared-folder ~/Projects/my-app

4. Let the Agent Work

The agent can now install packages, run builds, execute tests, and modify code — all within its isolated VM. It has no access to your host files, credentials, or accounts.

5. Snapshot Before Risky Operations

Before the agent does something potentially destructive, create a snapshot. If things go wrong, revert instantly.

# Create a checkpoint
vmctl snapshot ~/VMs/agent-session-001.GhostVM create before-refactor

# If things go wrong
vmctl snapshot ~/VMs/agent-session-001.GhostVM restore before-refactor

6. Clean Up

When the session is done, either revert to the template state or delete the VM entirely. Nothing persists to your host.

# Option A: Restore to clean state for reuse
vmctl snapshot ~/VMs/agent-session-001.GhostVM restore ready

# Option B: Delete the VM entirely
rm -rf ~/VMs/agent-session-001.GhostVM

Programmatic Control with the Host API

For automated agent workflows, GhostVM provides a Host API that lets you control VMs programmatically from inside the guest. This enables:

Agent-Driven Snapshots

An agent running inside the VM can create its own checkpoints:

# From inside the VM, create a snapshot
curl -X POST http://host.local:8080/snapshot/create \
  -d '{"name": "before-npm-install"}'

Self-Revert on Failure

If an operation fails, the agent can restore to a previous state:

# Attempt risky operation
npm install some-sketchy-package

# If something went wrong, revert
if [ $? -ne 0 ]; then
  curl -X POST http://host.local:8080/snapshot/restore \
    -d '{"name": "before-npm-install"}'
fi

File Transfer Without Shared Folders

Pull specific files into the VM or push results out, without mounting entire directories:

# Pull a file from host into the VM
curl http://host.local:8080/files/Projects/my-app/config.json > config.json

# Push results back to host
curl -X PUT http://host.local:8080/files/Projects/my-app/output.json \
  --data-binary @output.json

VM Lifecycle Control

Agents can even control their own VM lifecycle for advanced workflows:

# Graceful shutdown when work is done
curl -X POST http://host.local:8080/vm/shutdown

# Request more resources (if supported)
curl -X POST http://host.local:8080/vm/configure \
  -d '{"memory": 16}'

Why This Matters

As AI agents become more capable, they'll need more access to do useful work. But more access means more risk. The solution isn't to limit agents — it's to give them powerful environments that are isolated from your critical systems.

A macOS VM gives an agent everything it needs: a full operating system, native tools, GUI access, network connectivity. And it gives you everything you need: isolation, snapshots, disposability, and control.

Give each agent its own Mac. Let it work freely. Keep your real Mac safe.

Related Resources

• Sandboxing Untrusted Code on macOS
• macOS Virtual Machines for Development
• Host API Reference
• Managing VM Snapshots
• CLI Reference for Automation