I like the idea but not the MCP part.
How about using bash-tool to intercept the commands and then passing them onto the containers?
I like the idea but not the MCP part.
How about using bash-tool to intercept the commands and then passing them onto the containers?
That's exactly what it does -- the bash commands are passed into the containers. It also manages container lifecycle (starting on first request, cleanup on connection shutdown).
If you're using an agent tool that already includes an existing bash tool which calls host OS, just remove that one and add this.
My bad, looks like I misunderstood how bash-tool works.
Then how about running Claude Code or your harness of choice inside bubblewrap with a shim/stub for the base binary?
https://github.com/containers/bubblewrap