What happens when you want to let an AI coding agent run with zero permission prompts but don't want it executing arbitrary commands on your actual machine? That's the problem Locki solves.
Locki is a new CLI tool that wraps AI coding agents - Claude Code, Gemini CLI, and OpenAI Codex - inside a Lima virtual machine with LXC containers (lightweight Linux containers that can run full operating systems, not just isolated processes like Docker). One command like locki claude my-feature creates a Git branch, worktree, VM, container, installs the agent, and drops you into a sandboxed session.
How the Isolation Works
The architecture has two layers. A Lima VM provides the actual security boundary - nothing the AI agent does touches your host system. Inside that VM, each sandbox gets its own LXC container managed by Incus for environment isolation. The VM can only access two host directories: worktrees and a persistent home folder for agent logins.
Git and GitHub CLI are stubbed out inside the sandbox. The agent literally cannot push code or interact with your repos. You review changes from your host machine - the worktree files show up natively in VS Code - and commit when you're satisfied.
For Claude Code specifically, Locki writes managed settings that enable full bypass mode: skipDangerousModePermissionPrompt and defaultMode: bypassPermissions. Same idea for Gemini CLI's --yolo flag and Codex's approval_policy: never. The whole point is removing the friction of permission prompts while keeping the blast radius contained.
The Trade-offs
First startup is slow since the VM needs to boot. The sandbox has network access (needed for package installs), so a truly malicious agent could still exfiltrate data over the network, though it can't reach host files outside the worktree. The project requires Python 3.14+ and only works on Linux and macOS.
Locki is at version 0.0.3 with 43 commits and 3 GitHub stars. The README is refreshingly honest: "Despite best effort, Locki provides no security guarantees and is provided 'as is'." There's also no license file in the repo, which means the code is technically all rights reserved under default copyright.
For developers who regularly run AI agents in unrestricted mode and want something stronger than Docker-based sandboxing, the VM approach makes sense. The convenience of native file browsing through Git worktrees is a smart design choice that avoids the "SSH into a remote box" workflow most VM solutions require.