Drydock runs coding agents in hardware-isolated macOS VMs
Drydock is an open-source tool that runs autonomous coding agents (Claude Code or OpenAI Codex) inside hardware-isolated VMs on macOS, with deny-by-default egress and API key protection, so a compromised agent can't reach the host system or the internet.
Score breakdown
Drydock shifts the security model for agentic coding from trusting agent behavior to hardware-level containment, so threats like prompt injection or malicious dependencies cannot escape the sandbox to reach the host's credentials, filesystem, or network — regardless of what the agent attempts.
- 01Drydock runs Claude Code or OpenAI Codex agents inside per-task hardware-isolated VMs on macOS.
- 02The real API key never enters the sandbox — a host-side gateway issues short-lived, budget-capped tokens instead.
- 03Egress is deny-by-default; the only output that leaves the VM is a git diff gated on user approval.
Drydock takes a containment-first approach to autonomous coding agents on macOS, running each task in its own hardware-isolated VM rather than relying on permission prompts or output filters to keep the agent well-behaved. The threat model explicitly assumes the agent is already compromised — whether through a poisoned repo, a malicious dependency, or a prompt-injection attack — and is designed so that even a hostile agent cannot reach the host API key, filesystem, push credentials, or the open internet.
API key protection is handled by a host-side gateway that hands the sandboxed agent short-lived, budget-capped tokens instead of the real Anthropic key.
API key protection is handled by a host-side gateway that hands the sandboxed agent short-lived, budget-capped tokens instead of the real Anthropic key. Egress is deny-by-default, and the only data that crosses back out of the VM is a git diff, which the user must approve before it reaches the remote origin. The project currently supports Claude Code and OpenAI Codex, selectable on a per-task basis, and ships through a Homebrew tap.
The tool is at working alpha `v0.1.5` — the full task lifecycle (submit → isolated VM → gated diff → push) is functional end-to-end, but it is pre-1.0, single-maintainer, and has not been hardened by real-world use or a third-party security audit. The author notes that behavior and config can change between minor versions, and directs users to the included `THREAT_MODEL.md` to evaluate the security model before trusting it.
Key facts
- 01Drydock runs Claude Code or OpenAI Codex agents inside per-task hardware-isolated VMs on macOS.
- 02The real API key never enters the sandbox — a host-side gateway issues short-lived, budget-capped tokens instead.
- 03Egress is deny-by-default; the only output that leaves the VM is a git diff gated on user approval.
- 04The tool assumes the agent is already compromised and focuses on containing blast radius rather than enforcing agent behavior.
- 05Current version is working alpha v0.1.5; ships via a Homebrew tap.
- 06The project is pre-1.0, single-maintainer, and has not undergone a third-party security audit.
- 07A THREAT_MODEL.md is included in the repository for users to evaluate the security model themselves.
Topics
Summary and scoring are generated automatically from the original article. We always link back to the publisher and never republish images or paywalled content. Last processed Jun 19, 2026 · 10:25 UTC. How this works →