This project builds a debian based Apple Container for running OpenCode in a more isolated environment.
Running coding agents on your machine comes with a large attack surface. A CVE in the agent, a malicious dependency, or a prompt-injected file all map directly to your host. This project narrows that attack surface by running OpenCode in a lightweight Apple Container VM with a toolchain pre-installed for the technologies I work with.
-
Set up Container on your mac.
-
Customize the toolchain to your use.
-
Build the container with
build.sh. -
Start the Container system service
container system start- Run the container in your directory of choice. Example executable in
sboc.
By default, coding agents act on behalf of the user on the user's machine. This is a powerful model, but creates a large attack surface. This repo showcases a few actions taken to protect host credentials and filesystem from common attack vectors.
This container bind-mounts only the current directory.
This leaves directories like ~/.ssh, the macOS keychain, $HOME and runtime configuration files un-reachable to the agent.
We mount the opencode config read-only. This stops a compromised agent from redirecting future sessions to attacker controlled endpoints, changing default permissions or wiring malicious MCPs.
Dependency and build cache is persisted across containers for speed,
but is stored separate from host caches. Can be disabled as described in sboc.
This reduces the supply chain risk during image build.
The container persists it gh cli token.