Bromure Agentic Coding

Let your AI agent
go wild — safely.

Run Claude Code, Codex, and the next coding agent inside a Linux VM that shares only the folders you choose. Anything they download, install, or break stays inside the VM.

Download Bromure Agentic Coding nowApple Silicon (M1 or later) · Free & Open Source

Bromure Agentic Coding running Claude in an isolated VM with the Trace Inspector

Coding agents are now running on your laptop.

Claude Code and Codex pull packages, run scripts, spin up servers, and execute whatever the model decides is useful. That's the point. But every npm install, every pip install, every curl | bash they run lands on your host OS — beside your SSH keys, your password manager, your iCloud, and the rest of your work.

A single typosquatted dependency, a poisoned script, or a confused agent can quietly exfiltrate a token, drop a launch agent, or wipe a directory. The agent isn't malicious; it just has root-equivalent access to your real machine. That's a blast radius nobody signed up for.

Move the agent into a VM.

Bromure Agentic Coding gives every developer a Linux virtual machine that shares only the folders they pick. Claude or Codex run inside the VM. They see your repo through a shared mount; they don't see your home directory, your keychain, or the rest of your disk.

Install whatever the agent needs — system packages, language toolchains, half-broken experimental builds. The VM is the agent's workspace, not your laptop. When something goes sideways, you reset the VM and start over. Your host stays pristine.

The shared folders are mounted live in both directions, so you keep editing in Cursor, VS Code, or Xcode on macOS while the agent works in the VM. Save in your editor and the agent sees the change instantly; the agent rewrites a file and your editor picks it up — same files, two views, no syncing, no checkout dance.

~/projects/my-app

$ bromure code --share ./

→ launching VM (clone of base image)…

→ mounting ~/projects/my-app at /workspace

→ proxy ready · ssh-agent forwarded · tracer on

→ ready in 3.2s

vm:/workspace

$ claude

→ npm install ✓

→ git push ✓ (token swapped at proxy)

→ host ~/.ssh: not visible · keys never left Mac

Credential brokering

The agent works, the secrets stay home.

An agent that can't push to GitHub, pull from a private registry, or SSH into a build server isn't useful. The naive answer is to drop your long-lived tokens and SSH keys into the VM. Then the next typosquatted dependency reads them and walks off with your organization.

Bromure flips this on its head. The config inside the VM ships with stubs — fake bearer tokens, fake API keys — that look real to git, gh, your model provider's CLI, your private registry, and anything else expecting an Authorization header. A proxy on your Mac sits in front of every connection leaving the VM, recognizes the stub, swaps it for the real secret at the wire, and forwards the request. The real value is never written to a file the VM can read, never held in an env var the VM can dump, never paged into memory the VM can scrape.

Stubs in, real tokens out

Configure GitHub, your model provider, npm, AWS, your internal registry — whatever the agent needs — once, on the host. The VM gets stubs that satisfy every tool's expectations. The host-side proxy substitutes the real bearer as the request leaves the hypervisor boundary. A package that grabs env vars, reads ~/.netrc, or dumps memory walks away with placeholders.

ssh-agent forwarded, never exposed

ssh-agent runs on your Mac with keys in the macOS Keychain. Bromure forwards only the agent socket into the VM, the way OpenSSH always intended. Inside the VM, ssh and git work transparently — but there is no key file on disk, no passphrase in memory, nothing for a compromised dependency to steal. Close the session, the channel closes.

A poisoned package can wipe the VM's filesystem. It cannot take your GitHub org. It cannot pivot into your build infra. It cannot drain your AWS account. The blast radius is the VM, and the VM is throwaway.

Approval gating

A click between the agent and your secrets.

Stub-and-swap is half the story. The real tokens still live somewhere — they're just on your Mac, behind the proxy, instead of inside the VM. That's a huge improvement when the threat is malware in the VM. It's a smaller one when the threat is malware on your laptop itself: a backdoored update, a compromised browser extension, a process that already has local code execution. Anything that can talk to the proxy could, in principle, ask it for a real token.

So Bromure adds an explicit human-in-the-loop step in front of the credentials you mark as sensitive. When something — the agent, a CLI you typed, or a process you didn't — tries to use one of those tokens through the proxy, Bromure pops up on your Mac, names the credential and the destination, and asks you. You approve for five minutes, an hour, the rest of the session, or just this one request. After that window, it's locked again.

Time-bounded approval

Pick the TTL when you approve. Five minutes for a single push. An hour for a focused release session. Single-use for the genuinely scary ones — a production deploy, a secret rotation, a destructive migration. The grant expires automatically, so you don't end up with `aws sso login` left wide open for the rest of the day.

Local malware loses its leverage

If a process running on your Mac tries to push to your container registry, impersonate you against GitHub, or drain a cloud account, it can't. The credentials aren't on disk to read, and the proxy that holds them only releases one when the human in front of the screen clicks approve. Code execution on your laptop is no longer enough to act on production.

Long-lived tokens become moments of access. Even if your laptop is compromised end-to-end, an attacker still has to get past you to do anything that matters.

Why run agents in a Bromure VM

Contained blast radius

A misbehaving package, a poisoned post-install script, or an agent that decides to rm -rf can only touch what's inside the VM. Your home directory, your keys, and your iCloud sit on the other side of a hypervisor boundary.

No real credentials inside

The VM ships with stub tokens. A host-side proxy swaps them for the real bearer at the wire when a request leaves the VM, and ssh-agent runs on your Mac with only the socket forwarded in. A package that scrapes env vars or reads disk finds placeholders, not secrets.

Every action recorded

Bromure traces the full session — prompts, model responses, tool calls, shell commands, file edits — as it runs. Open the trace afterward, search it, hand it to a reviewer, attach it to the pull request. Traceability comes for free.

Edit on macOS, side-by-side

Shared folders are live in both directions. Keep using Cursor, VS Code, or Xcode on the host — the agent rewrites a file in the VM, your editor picks it up; you save in your editor, the agent sees it instantly. Same files, two views, no syncing.

Session tracer

See exactly what the agent did.

A coding agent makes hundreds of decisions per session. Most of them you never see — they scroll past in a tool call you didn't read carefully, get summarized in a single line, or happen between two messages you were skimming. That's fine until something breaks. Or until you need to explain to a reviewer, a teammate, or an auditor what the model actually changed.

Bromure records the full session as it runs: every prompt, every model response, every tool invocation, every shell command, every file written. Open the trace afterward, search it, hand it to someone else, attach it to a pull request. The agent works fast; the record is patient.

Bromure Trace Inspector showing every API call made by the agent

Full dialogue capture

Prompts, completions, tool calls, shell commands, file edits, exit codes — captured live as the session runs. Nothing is reconstructed from scrollback; nothing is lost when you close the terminal.

Replayable, reviewable, attributable

Scrub through the agent's reasoning and actions, see exactly what was installed and why, and turn 'it just worked' or 'it just broke' into something you can show to another human.

When the agent works, the trace is your paper trail. When it doesn't, it's your bug report.

Bring your own agent.

Bromure Agentic Coding doesn't replace your tooling — it gives it a safe place to run. The VM ships with the runtimes most agents expect, and you install the rest.

Claude Code

Anthropic's terminal-based coding agent runs natively inside the VM. Authenticate once and let it pull dependencies, run tests, and refactor against your shared repo.

Codex

OpenAI's coding agent installs the same way it would on any Linux box — except this Linux box can't see your home directory.

Anything else

Aider, OpenHands, custom internal agents — if it runs on Linux, it runs in Bromure. The VM is just a Linux machine; the safety comes from where it lives.

How it works

1. Pick your folders

When you create the VM, you choose which folders on your Mac it can mount — typically the project you're working on. That's the agent's entire view of your filesystem.

2. Launch the VM

Bromure boots a Linux VM in a few seconds using Apple Virtualization.framework. Open a terminal into it like you would any remote machine.

3. Run the agent

Install Claude Code or Codex inside the VM. Point it at the shared folder. Let it work — install packages, run scripts, spawn processes — without ever touching your host.

4. Reset when you want

When the VM's state stops being useful, throw it away. Start fresh in seconds. Your code is on the host; the mess stays in the VM.

VM vs container

Why not just use a container?

Four reasons.

Shared kernel

Containers share a kernel with your host. A bad enough package, a kernel bug, or a misconfigured mount, and the boundary is gone. Containers were built to isolate workloads, not to defend against the things you're actively running inside them.

Immutable, not interactive

Container images are built once and frozen. An interactive coding agent — installing packages, tweaking configs, rebuilding tools all day — fights that model the whole way. Every change wants a rebuild. The mutable home directory you mount in to make the workflow tolerable becomes the soft underbelly the rest of the image was supposed to protect.

Don't actually run on macOS

Docker on Mac isn't really running containers — it's running them inside a hidden Linux VM that ships with Docker Desktop. You're paying the VM cost already, just without seeing it. Bromure cuts out the middle layer: one VM, visible, configurable, and yours.

No way to keep secrets out

To make a container useful for git, gh, kubectl, aws, or npm, you end up mounting ~/.ssh, ~/.kube/config, ~/.aws/credentials, ~/.npmrc and your GitHub token in — your real secrets, on a filesystem the agent can read. Bromure flips that. The VM gets stubs that look like real credentials to every tool; a host-side proxy recognizes them and substitutes the real GitHub token, kubeconfig bearer, AWS credential, or registry password at the wire as the request leaves. SSH keys stay in the macOS Keychain — only the ssh-agent socket is forwarded in. A container has no equivalent without rebuilding the trust model from scratch.

A VM has its own kernel, its own memory, its own filesystem. You install whatever you want, the way you would on any Linux box, and you keep doing that all day. Apple's Virtualization.framework makes the cost low enough that there's no reason to settle for less.

Give your agent a real workshop.

One VM. Total isolation. Install anything. Bromure Agentic Coding is free and open source.