A deep dive into why AI coding agents require stronger isolation than standard containers, using Docker Sandboxes as the primary example. The author shares a personal experience mass-migrating a blog with Claude Code, which led to realizing how much unreviewed code was executing with full host privileges. The post explains Docker Sandboxes' microVM architecture: each agent session runs in its own VM with a private Docker Engine, a credential-injecting MITM proxy that keeps secrets off the VM, and configurable network policies. Critically, the author also documents the honest limits Docker itself acknowledges — domain-level network filtering can't prevent data exfiltration via allowlisted sites like GitHub, and the shared workspace directory (necessary for the agent to do real work) is a covert write channel that bypasses the hypervisor boundary entirely. Git hooks, CI configs, and package.json scripts written by the agent execute on the host. The post frames isolation as a trust spectrum: containers for known code, microVMs for autonomous agents, and advocates treating agent output like an unreviewed pull request regardless of sandbox strength.
Table of contents
The container model and why it doesn’t stretch hereWhat Docker built, and why each piece is thereDocker tells you what won’t workThe workspace is always sharedWhat it actually costsMatching isolation to trustWhy everyone is converging hereLooking back, looking forwardSort: