Isolated Ubuntu VM (Lima) for running agentic workflows (e.g. opencode) without mounting host directories.
- macOS + Lima (
limactl) installed
Use start.sh to create (or reuse) the VM and copy a repo into it:
./start.sh --lima-file ./lima.yaml --src-dir .start.sh drops you into the copied repo automatically. If you want to skip that (e.g. for CI), pass --no-enter.
Manual entry:
limactl shell agent-sandboxIf you need Homebrew tools on PATH in a plain bash shell:
eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"limactl stop agent-sandbox
limactl delete agent-sandboxThis VM intentionally has no host mounts and no SSH keys. All data transfer is explicit.
start.sh packages a repo on the host and copies it into the VM at:
/home/lima/repo
The copy:
- Includes
.git/so you can commit inside the VM - Includes uncommitted files
- Copies everything by default
- Optionally excludes files via
--ignore-file
By default, the repo copy includes everything. To exclude files, pass an explicit ignore file (syntax matches .gitignore):
./start.sh --lima-file ./lima.yaml --src-dir . --ignore-file path/to/ignorenode_modules/
dist/
.env
*.logGit identity and shell tooling are provisioned inside the VM via your dotfiles bootstrap (runs from lima.yaml).
Verify inside the VM:
git config --get user.name
git config --get user.emaillimactl shell agent-sandbox -- opencode runUse ./copy-out.sh to extract the VM repo onto the host (defaults to ~/dev/lima-repo, replacing any existing folder):
./copy-out.sh --name agent-sandboxOverride destination and output folder name:
./copy-out.sh --dest-dir ~/dev --out-name gemhog-repo- No host mounts (
mounts: []); all data transfer is explicit. - Port forwarding is disabled for all ports except SSH.
- Updating
lima.yamldoes not change an existing instance config; recreate the instance to apply provisioning changes.
MIT (see LICENSE).