Install your OS of choice in a virtual machine, e.g. even hosted on your main machine.
Install the AI coding tool in the virtual machine.
Set up a shared folder between host+guest OS.
Only let the VM access files that are "safe" for it to access. Its own repo, in its own folder.
If you want to give the AI tool and VM internet access and tool access, just limit what it can reach to things it is allowed to go haywire on. All the internet and all OS tools are ok. But don't let this AI do "real things" on "real platforms" -- limit the scope of what it "works on" to development assets.
When deploying to staging or prod, copy/sync files out of the shared folder that the AI develops on, and run them. But check them first for subterfuge.
So, don't give the AI access to "prod" configs/files/services/secrets, or general personal/work data, etc. Manage those in other "folders" entirely, not accessible by the development VM at all.
Did somewhat exactly that for apple container based sandbox - Coderunner[1]. You can use it to safely execute ai generated code via an MCP at http://coderunner.local:8222
A fun fact about apple containers[2], it's more isolated than docker containers as in it doesn't share the VM across all containers.
I'd just do it over a Docker mount (or equivalent) to keep it a bit more lightweight. Can keep the LLM running local; and teach it how to test/debug via instruction files.
Install your OS of choice in a virtual machine, e.g. even hosted on your main machine.
Install the AI coding tool in the virtual machine.
Set up a shared folder between host+guest OS.
Only let the VM access files that are "safe" for it to access. Its own repo, in its own folder.
If you want to give the AI tool and VM internet access and tool access, just limit what it can reach to things it is allowed to go haywire on. All the internet and all OS tools are ok. But don't let this AI do "real things" on "real platforms" -- limit the scope of what it "works on" to development assets.
When deploying to staging or prod, copy/sync files out of the shared folder that the AI develops on, and run them. But check them first for subterfuge.
So, don't give the AI access to "prod" configs/files/services/secrets, or general personal/work data, etc. Manage those in other "folders" entirely, not accessible by the development VM at all.
Is that close?