A team at a security company replaced their single devcontainer setup with isolated OrbStack VMs to support parallel AI agent workflows. The old devcontainer was single-instance, causing port conflicts and 20-minute rebuild times when running multiple agents simultaneously. The new architecture uses a base template VM cloned per workspace, shared infrastructure (PostgreSQL, Redis, etc.), and per-workspace Docker-compose stacks with namespaced OrbStack domains. A Go CLI manages workspace lifecycle. Key optimizations include a pre-built base VM (reducing creation to 5-10 seconds) and a warm Go build cache. Authentication for Claude Code and GitHub CLI is handled via symlinks and SSH pipes. The post also covers security tradeoffs, alternatives considered (GitHub codespaces, local k8s, nix), and lessons learned about moving from bash to Go for the CLI.
Table of contents
The architectureHow workspace isolation worksThe CLIClaude Code and GitHub CLI authSecurity considerationsAlternatives consideredWhat we learnedSort: