Microservice Architecture

Supported by Kong

GenAI-based development platform - part 3: Announcing Isolarium, three flavors of secure sandboxes for GenAI-based coding agents

security   genAI development   containers   idea to code   harness engineering   testing   testability  

Contact me for information about consulting and training at your company.

The MEAP for Microservices Patterns 2nd edition is now available

I’m pleased to announce that I’ve open-sourced Isolarium, a companion project to Idea to Code workflow that provides secure sandboxes for running GenAI-based coding agents like Claude Code.

Isolarium logo consisting of an agent in a cicle representing the sandbox

This article is part of a series about the GenAI-based development platform (a.k.a. harness) that I’ve been developing to make GenAI-based coding agents like Claude Code more productive, more secure and less frustrating. The complete list of articles in the series is as follows:

In this article, I first describe the risks of running coding agents on a developer workstation and why secure sandboxes are necessary. I then briefly describe Isolarium and the three flavors of sandboxes that it offers. Let’s start by looking at the motivation for Isolarium.

Why coding agents need secure sandboxes

There are three reasons why coding agents need secure sandboxes:

  • Coding agents are vulnerable to attacks that can compromise the developer’s machine
  • Container-based testing libraries such as Testcontainers introduce additional risks
  • Even well-intentioned coding agents can cause damage

Let’s look at each one.

Coding agent security risks

Coding agent security risks have been on my mind ever since I watched the excellent and deeply disturbing presentation Agentic ProbLLMs: Exploiting AI Computer-Use and Coding Agents by AI researcher Johann Rehberger. His The Month of AI Bugs series - one post per day for the month of August 2025 - shows the risks that we face when we run coding agents.

Coding agent security risks include:

  • Exfiltration of developer credentials (SSH keys, GitHub tokens, cloud credentials)
  • Leakage of sensitive local files from the developer workstation
  • Unauthorized access to other repositories or organization resources
  • Execution of malicious commands on the developer’s machine
  • Malicious or unsafe dependency installation affecting the host environment
  • Persistence of compromise on the developer machine after an agent session ends

Container-based testing libraries introduce additional risks

Testing technologies such as the incredibly useful Testcontainers library that allow tests to run arbitrary Docker containers introduce additional risks since they can be used to run malicious containers that attack the host machine.

Even well-intentioned coding agents can cause damage

There’s also the risk of a well-intentioned coding agent causing damage by making unintended changes to the developer’s machine or code repository. Coding agents, for example, attempt to run arbitrary Bash commands, or write code that runs Bash commands.

Secure sandboxes for GenAI-based coding agents

Isolarium is a command line tool intended to address these problems. It runs coding agents in a secure, isolated and disposable environment. For example, to run Claude Code:

$ cd my-project
$ isolarium run --create -- claude -p ...

This command creates an isolated environment for the coding agent to run in, and then runs claude inside that environment.

Three flavors of isolation

Isolarium offers three flavors of isolation that make different trade-offs between security and overhead:

  • Nono - the most lightweight yet least secure option since the agent has access to some of the host’s filesystem.
  • Container - more overhead due to image and container creation yet more secure since only the working tree is shared with the host.
  • Virtual machine - slow to provision but provides the strongest isolation since the agent has no access to the host’s filesystem. What’s more the coding agent has more freedom: e.g., run tests that use Testcontainers.

Isolarium works with i2code implement

The i2code implement command described in the previous article implements the final step of the Idea to Code workflow, which turns a plan derived from an idea into a pull request consisting of production code and tests. It can now use Isolarium to run the coding agent in a secure, isolated environment:

$ isolarium implement --isolation-type <type>...

This command runs the i2code implement command inside an Isolarium environment with the specified isolation type.

Next steps

To learn more about Isolarium and to get started, check out the GitHub repository. I welcome your questions, feedback, and contributions.

Need help with modernizing your architecture?

I help organizations modernize safely and avoid creating a modern legacy system — a new architecture with the same old problems. If you’re planning or struggling with a modernization effort, I can help.

Learn more about my modernization and architecture advisory work →

security   genAI development   containers   idea to code   harness engineering   testing   testability  
Modernization Help
Copyright © 2026 Chris Richardson • All rights reserved • Supported by Kong.

About www.prc.education

www.prc.education is created by Chris Richardson, software architect, creator of the original CloudFoundry.com, and author of Microservices Patterns. Chris advises organizations on modernization, architecture, and building systems that avoid becoming modern legacy systems.

Need help modernizing your architecture?

Avoid the trap of creating a modern legacy system — a new architecture with the same old problems.
Contact me to discuss your modernization goals.

Get Help

Microservices Patterns, 2nd edition

I am very excited to announce that the MEAP for the second edition of my book, Microservices Patterns is now available!

Learn more

ASK CHRIS

?

Got a question about microservices?

Fill in this form. If I can, I'll write a blog post that answers your question.

NEED HELP?

I help organizations improve agility and competitiveness through better software architecture.

Learn more about my consulting engagements, and training workshops.

LEARN about microservices

Chris offers numerous other resources for learning the microservice architecture.

Get the book: Microservices Patterns

Read Chris Richardson's book:

Example microservices applications

Want to see an example? Check out Chris Richardson's example applications. See code

Virtual bootcamp: Distributed data patterns in a microservice architecture

My virtual bootcamp, distributed data patterns in a microservice architecture, is now open for enrollment!

It covers the key distributed data management patterns including Saga, API Composition, and CQRS.

It consists of video lectures, code labs, and a weekly ask-me-anything video conference repeated in multiple timezones.

The regular price is $395/person but use coupon OFFEFKCW to sign up for $95 (valid until Sept 30th, 2025). There are deeper discounts for buying multiple seats.

Learn more

Learn how to create a service template and microservice chassis

Take a look at my Manning LiveProject that teaches you how to develop a service template and microservice chassis.

Signup for the newsletter


BUILD microservices

Ready to start using the microservice architecture?

Consulting services

Engage Chris to create a microservices adoption roadmap and help you define your microservice architecture,

The Eventuate platform

Use the Eventuate.io platform to tackle distributed data management challenges in your microservices architecture.

Eventuate is Chris's latest startup. It makes it easy to use the Saga pattern to manage transactions and the CQRS pattern to implement queries.

Join the microservices google group