Coding agents like Claude Code, Gemini CLI, Codex, Kiro, and OpenCode are changing how developers work. But as these agents become more autonomous (capable of deleting repos, modifying files, and accessing secrets), developers face a real problem: how do you give agents enough access to be useful without risking your local environment?

Coding Agents Increase Productivity. And Risk.

Today, development with coding agents means picking your poison:

• YOLO Mode: Give agents full access to everything without any safeguards. It’s productive until your agent wipes critical files or exposes API keys.
• DIY VMs: Manually spin up and lock down virtual machines. You get security but lose hours managing permissions and rebuilding environments. The productivity gains you wanted from agents? Gone.

We think developers need a better option. So we’re experimenting with a solution that could give you both safety and productivity.

What We’re Building Towards: A More Effective Way to Run Local Coding Agents Safely.

We’re working on an approach that lets you run coding agents in purpose-built, isolated local environments. Docker Sandboxes wrap agents in containers that mirror your local workspace and enforce strict boundaries across all the coding agents you use. The idea is to give agents the access they need while maintaining isolation from your local system.

Today’s experimental release runs agents as containers inside Docker Desktop’s DockerVM. This provides security through filesystem isolation and process containment. We’re moving towards a microVM-based architecture for even stronger isolation and safety.

What’s Available Now (Experimental Preview).

This is an experimental preview. Commands may change and you shouldn’t rely on this for production workflows yet. But we’re excited about where we’re heading. 

Here’s what you get today:

• Container-based isolation: Agents can run code, install packages, and modify files within a bindmounted workspace directory.
• Filesystem isolation: Process containment, resource limits, and filesystem scoping, protecting your local system.
• Broad agent support: Native support for Claude Code and Gemini CLI, with more coding agents support coming soon (Kiro CLI, Codex, Cline, OpenCode, and others).

Why We Are Taking this Approach.

OS-level sandboxing approaches like Linux Bubblewrap or macOS seatbelt have significant limitations:

• They rely on rigid, pre-declared policy files that break with dynamic agent behaviors (runtime code generation, interactive outputs, on-the-fly library installations). In practice, this means constantly interrupting workflows with permission prompts.
• They don’t work across all platforms (Bubblewrap won’t run on macOS or Windows).
• Multiple enterprise security teams have told us they won’t accept seatbelt-based solutions.

Container-based isolation is designed for exactly the kind of dynamic, iterative workflows that coding agents need. You get flexibility without brittleness.

We’re taking a usability-first approach. Rather than trying to be a great solution for all kinds of AI out of the box, we’re focusing specifically on coding agents. This lets us solve real developer problems and deliver a great experience. We’ll support other use cases in the future, but for now, coding agents are where we can make the biggest impact.

Here’s How You Can Try It.

Today’s experimental preview works natively with Claude Code and Gemini CLI. We’re building for other agents developers use.

With Docker Desktop 4.50 and later installed, run: docker sandbox run <agent>

That’s it. Your agent runs in an isolated environment and you stay productive. 

What’s Next.

• Better support and UX for running multiple agents in parallel
• Granular network access controls
• Granular token and secret management for multi-agent workflows
• Centralized policy management and auditability
• MicroVM-based isolation architecture
• Support for additional coding agents

Try It and Share Your Feedback.

We’re building this alongside developers. As you experiment with Docker Sandboxes, we want to hear about your use cases and what matters most to your workflow.

Send your feedback to: coding-sandboxes-feedback@docker.com

We believe sandboxing should be how every coding agent runs, everywhere. This is an early step, and we need your input to get there. We’re building toward a future where there’s no compromise: where you can let your agents run free while protecting everything that matters. 

Say, you want the smooth convenience of consuming content that feels like it’s generated in real time without having to deal with the tradeoffs of a Large Language Model née Artificial Intelligence.

Why not use animation? It’s the perfect metaphor for a Hollywood-esque veneer of complexity without substance, in no way similar to how an entire industry is currently being oversold and at no risk of imminent collapse.

This approach animates each blog post’s content (already generated by a human, manually) progressively to emulate existing chatbox user experience patterns for hallucinating text. You can try it out right now by hitting the Hallucinate toggle above.

How does it work?

This makes use of the <squirm-inal> Web Component, originally for Netlify’s Your Year on Netlify microsite and using lessons learned from Queue Code (a way to live code without live coding).

// It works with any arbitrary HTML content
// including this syntax highlighted code block
"use AI"

To implement this yourself, just wrap any arbitrary content (say <main>) in a newly created <squirm-inal autoplay speed="0.6"> element and you’re off to the races.

<script
	src="https://unpkg.com/@zachleat/squirminal@3.0.1/squirminal.js"
	integrity="sha384-m+pplzdzdfZuwjyxmM9pOkp/ALfMMjZll/b2g2mR6mhurvj1ZZAe8xXNj7BSp4XM"
	crossorigin="anonymous"></script>
<script type="module">
let main = document.querySelector("main");
let squirm = document.createElement("squirm-inal");
squirm.setAttribute("speed", "0.6");
squirm.setAttribute("autoplay", "");
squirm.append(...main.children);
main.append(squirm);
</script>

You could swap the <script src> above to use import() instead but that would remove the option for subresource integrity (always important for CDN use).

That’s it!

We know a little more about Google’s long-gestating plans to combine the best parts of Android and ChromeOS into a single OS thanks to a job listing for a product manager to work on “Aluminium OS.” The job ad describes it as “a new operating system built with Artificial Intelligence (AI) at the core.”

Android Authority first reported on the job listing, which is two months old, but wasn’t spotted until recently. It gives a name — or more likely codename — to Google’s new operating system for the first time, along with the initialism “ALOS.” It specifically describes Aluminium as “Android-based,” and says the company is looking at entry-level, mass market, and premium hardware for the OS.

It doesn’t sound like ChromeOS will be going away entirely though, at least not at first. According to the listing, the team will be responsible for creating “a portfolio of ChromeOS and Aluminium Operating System” devices across various form factors (“laptops, detachables, tablets, and boxes”) and price points. That said, the ad also mentions the need to create a strategy to “transit Google from ChromeOS to Aluminium,” suggesting that the eventual plan is to phase out ChromeOS and replace it with the new Android alternative.

The name is noteworthy too, if only for using the British spelling, ending in “-ium.” That might just be a nod to Chromium, the open-source code that underlies ChromeOS.

Google has been considering bringing some form of Android to PCs for over a decade, but has begun talking about the prospect more seriously in recent years. Android Authority reported that new plans were in the works last year, and Android head Sameer Samat has since confirmed that the company is “combining Chrome OS and Android into a single platform,” with plans to release it next year.

Here, we’ve distilled the survey findings, laid out action items for leadership, and dug into recommendations around agentic AI for the enterprise. Spoiler alert: It all comes back to data quality.

---