or you can just run nanoclaw for isolation by default?

https://nanoclaw.dev