Multipass Sandbox: The Missing Layer Between AI Agents and Your Production Secrets

AI coding assistants are at their most powerful when you take the brakes off. Autonomous mode --dangerously-skip-permissions in Claude Code, or equivalent in other tools, is where spec-driven frameworks like GSD, SuperClaude, and BMAD actually deliver. It’s where agents stop asking for permission on every file write and start building.

“Take the brakes off” means exactly what it sounds like. On a developer’s machine, an autonomous AI agent has access to everything the developer does: SSH keys, cloud credentials, browser sessions, email. For most software shops, that’s a calculated risk. For a blockchain company, it’s existential. Private keys controlling on-chain funds, deployment credentials for smart contract infrastructure, API secrets for production systems. These aren’t just sensitive, they’re the kind of assets where a single leak is irreversible.

So developers face three bad choices:

1. Keep permissions on. Approval fatigue sets in fast. Developers stop reading prompts, reflexively hit Enter, or eventually flip to autonomous mode anyway, with no guardrails. The “safe” path trains people to ignore safety prompts.
2. Run autonomous on bare metal. This is how vibecoders move fast. It’s also how you end up with an AI agent that can read your wallet keys, delete your emails, or push to production. Not an option when real money is at stake.
3. Use container-based sandboxing. Docker sandbox is the current recommended approach, and we tried it. It falls short in ways that matter: no native Linux support (requires Docker Desktop on macOS/Windows only), no port exposure to the host (can’t connect VS Code or preview dev servers), and a TLS interception proxy that breaks dependency installs: Cargo, NPM, and other package managers choke on the MITM CA in Docker-in-Docker workflows. Developers are forced to break out of the sandbox to do real work, which defeats its purpose.

A Fourth Option

Multipass Sandbox introduces a different approach: contain the AI agent in a full VM with real isolation, but preserve every DX flow that modern developers expect.

mps up

That gives you a full Ubuntu VM with Docker, language runtimes, and dev tools pre-configured. Your working directory is auto-mounted at the same absolute path. The sandbox names itself from your project folder. VS Code connects over SSH. Port forwarding works. npm run dev previews in your browser. The agent runs autonomously inside the VM, and your host machine’s credentials, keys, and secrets stay outside the blast radius.

It runs natively on macOS and Linux. Windows developers use it through WSL2.

Built for How Teams Actually Work

Sandboxes are disposable by design. When an image gets stale or something breaks, the answer is mps destroy && mps up, not a debugging session. Cloud-init templates live in your repo, so every developer on the team gets the same environment: same packages, same tooling, same state. No more two-day onboarding sessions getting a new engineer’s machine to match everyone else’s.

We ship four pre-built image flavors, layered so you carry only what the work requires:

1. base
   1. Ubuntu 24.04, Docker, Node.js, Python, AI coding assistants (Claude Code, Gemini CLI, Codex CLI, and others)
2. protocol-dev
   1. Go, Rust, C/C++ toolchain, protobuf
3. smart-contract-dev
   1. Foundry, Hardhat, Solana/Anchor
4. smart-contract-audit
   1. Slither, Mythril, Echidna, Medusa, Halmos

The audit flavor deserves a specific callout. These are the static analysis and fuzzing tools that matter for smart contract security work: pre-installed, pre-configured, ready to run. No setup, no version conflicts, no dependency chasing.

Configuration cascades from shipped defaults through user globals, per-project .mps.env files, resource profiles, and CLI flags. Profiles auto-scale CPU and memory as fractions of your host hardware, so a lite profile on a 16-thread machine allocates more than on a 4-thread laptop, without anyone editing config files.

How We Built It

We built Multipass Sandbox with Claude Code in a few weeks of after-hours work. Our estimate for the same scope without AI was roughly two months. The CI/CD pipeline alone, covering multi-arch image builds, validation, and distribution to Backblaze B2, was implemented in half a day.

That’s not a testament to AI writing code for us. The prototype came fast, one-shot working code from a detailed implementation plan. The remaining 80% was hardening to production grade: edge cases, cross-platform compatibility (Bash 3.2+ for macOS), error handling, test coverage above 90%. Claude accelerated each iteration cycle, but the cycles still happened. Planning and architecture mattered more with AI, not less. Claude will confidently go down the wrong path if you don’t steer.

The tool is itself a proof of its own thesis:

AI agents are a genuine productivity multiplier for skilled engineers, and having an isolated environment where those agents can run autonomously is what makes that leverage safe to use.

License and Distribution

Multipass Sandbox is released under the Business Source License 1.1: free for all non-production use, and it converts to Apache 2.0 four years from each release.

Images are versioned with SemVer, SHA256-verified, and distributed via our CDN at https://mpsandbox.horizenlabs.io. Weekly automated rebuilds pick up OS security patches without manual intervention.

Get Started

# Install

git clone https://github.com/HorizenLabs/multipass-sandbox.git && cd mpsandbox && ./install.sh

# Spin up a sandbox from your project directory

cd ~/your-project

mps up

# Open a shell

mps shell

# Connect VS Code

mps ssh-config --append

# Then: Cmd/Ctrl+Shift+P -> "Remote-SSH: Connect to Host"

The repo is public. If something’s missing or broken, open an issue; we’d rather hear it directly.

Give Multipass Sandbox a try now