coop
Health Warn
- License — License: Apache-2.0
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 5 GitHub stars
Code Pass
- Code scan — Scanned 12 files during light audit, no dangerous patterns found
Permissions Pass
- Permissions — No dangerous permissions requested
No AI report is available for this listing yet.
Isolated VM environment for running Claude Code and Codex
coop
Isolated VM environments for running Claude Code and Codex.
Pronunciation: "coop" (/kuːp/) — one syllable, rhymes with "loop", like the thing you keep chickens in. Not "co-op".
coop is a Rust CLI that manages disposable virtual machines where Claude Code and Codex have full tool access: Docker, git, compilers, package managers, all without risk to your host machine. Each VM is isolated, reproducible, and cheap to create and destroy. On Linux, coop runs Firecracker microVMs backed by KVM. On macOS, it uses Lima with Apple's Virtualization.framework. The backend is selected automatically based on platform.
Quick start
Install:
curl -fsSL https://raw.githubusercontent.com/trailofbits/coop/main/install.sh | bash
Or build from source (requires Rust):
cargo build --release
cp target/release/coop /usr/local/bin/
Set up the VM template, start an instance, and launch an agent CLI:
export ANTHROPIC_API_KEY=sk-ant-...
export OPENAI_API_KEY=sk-proj-...
coop setup
cd ~/code/my-project
coop up
coop claude
# or
coop codex
That gives you a Claude Code or Codex session running inside an isolated VM with your project synced in. coop up is re-runnable: it creates an environment for the current project the first time, reuses it if it is already running, and restarts it after coop stop. During startup, coop writes ~/.claude/settings.json in the guest with defaultMode: bypassPermissions and skipDangerousModePermissionPrompt: true, so Claude Code runs without permission prompts — the VM itself is the isolation boundary. Pass --ask to coop claude to restore prompts for that session (--permission-mode default).
Features
- Two backends: Firecracker microVMs (Linux/KVM) and Lima VMs (macOS/Virtualization.framework), auto-detected by platform
- Workspace sync: copy or mount a local project directory into the VM with
coop up - Profiles: customizable guest environments with apt packages and install scripts; built-in profiles for Python, Node, C, Rust, Go, and fuzzing;
coop up --profile python,nodebuilds the matching image on demand - Named images: build multiple template images with different profiles (
coop setup --image ml-dev --profile python) - Claude Code integration: API key forwarding, CLAUDE.md injection, plugin/marketplace support, MCP server configuration
- Codex integration: API key forwarding,
~/.codexconfig sync, MCP server configuration, dedicatedcoop codexlauncher - VS Code remote SSH:
coop vscodeopens VS Code connected to the guest - Multi-instance: run multiple VMs side by side, each with its own name and disk
- Reconfigure in place: change a stopped instance's disk, memory, or vCPUs with
coop resize(e.g.coop resize --size +20 --mem 8192 --vcpus 4) — no destroy/recreate - Commit and restore: save a stopped instance's filesystem as a reusable image with
coop commit, and roll an instance back to it in place withcoop restore— adocker container commit-style checkpoint for risky agent runs - Config optional: works with sensible defaults; customize via
~/.coop/config.tomlwhen needed
Commands
| Command | Description |
|---|---|
up |
Ensure a project environment exists and is running |
quickstart |
One-shot: ensure default image, start an instance for cwd, launch Claude |
setup |
Install backend runtime, fetch kernel, build template rootfs |
devcontainer |
Inspect devcontainer.json support without starting setup or a VM |
start |
Restart a stopped VM |
stop |
Stop a running VM (preserves disk) |
destroy |
Stop and remove a VM instance |
shell |
Interactive shell session in a running VM |
claude |
Launch Claude Code inside the VM |
claude-agents (ca) |
Open the Claude Code agent view inside the VM |
codex |
Launch Codex inside the VM |
exec |
Run a command in the VM non-interactively |
push |
Sync local directory into the VM |
pull |
Sync VM workspace back to the host |
list (ls) |
List instances by name and state |
status |
Show instance status and resource usage |
model |
Show or switch a VM's model backend (cloud vs. local) |
logs |
Stream VM serial console output |
vscode |
Open VS Code connected to the guest |
ssh-config |
Install a coop-<name> SSH alias for ad-hoc ssh/scp/rsync |
images |
List or delete template images |
profiles |
List or inspect available profiles |
resize |
Change a stopped instance's disk, memory, or vCPUs |
commit |
Save a stopped instance's filesystem as a reusable image |
restore |
Roll a stopped instance back to an image's filesystem in place |
init |
Generate a starter config file at ~/.coop/config.toml |
validate |
Check config and prerequisites |
update |
Self-update coop to the latest GitHub release |
uninstall |
Remove the coop binary and (optionally) its data directories |
completions |
Print a shell completion script (bash/zsh/fish/powershell/elvish) |
github |
Manage GitHub fine-grained PATs (setup-pat, status, rotate-pat, forget-pat) |
Shell completion
coop completions <bash|zsh|fish|powershell|elvish> prints a static completion script. Adding source <(COMPLETE=<shell> coop) to your rc additionally completes instance, image, and profile names live. Full setup recipes are in docs/shell-completion.md.
Updating
coop update replaces the running binary with the latest release fromgithub.com/trailofbits/coop. It downloads the tarball matching the current
host triple, verifies the SHA-256 against the release's SHA256SUMS, and
(when gh is installed) verifies the GitHub build-provenance attestation
before swapping the binary atomically.
No authentication is required. When gh is
authenticated against github.com or GITHUB_TOKEN is set, coop update
uses it, which helps avoid GitHub API rate limits.
coop update --check # report whether a newer release exists
coop update # prompt, then install the latest release
coop update --yes # skip confirmation
coop update --version v0.3.2 # pin to a specific release
coop update --force # reinstall the current version
If coop is installed in a protected directory (e.g. /usr/local/bin), run
with sudo. Dev builds (built from an untagged or dirty tree) refuse to
self-update; use install.sh to replace them.
By default, coop checks for a newer release in the background at most once
per day and prints a one-line notice on stderr when an update is available.
Opt out with either:
updates.mode = "off"in~/.coop/config.toml, orCOOP_NO_UPDATE_CHECK=1in the environment.
The check is also silent when CI=true or when stdin is not a TTY.
Verifying a release
Every release tarball is published with a Sigstore build-provenance
attestation via actions/attest-build-provenance.
The attestation proves the artifact was built from this repository by the
tagged release workflow.
Both install.sh and coop update run this verification automatically
when the GitHub CLI is installed. Without gh,
they fall back to checksum verification against the release's SHA256SUMS
and print a note explaining what was and wasn't verified.
To verify a downloaded tarball manually:
gh attestation verify coop-<version>-<triple>.tar.gz --repo trailofbits/coop
Requirements
Tested on macOS arm64 (Apple Silicon) and Linux x86_64. Linux arm64 builds are available but untested.
macOS (Lima backend)
- macOS with Apple Silicon
- Lima with
limactlon your PATH (installed automatically bycoop setup) - Rosetta 2 for x86_64 guests on Apple Silicon:
softwareupdate --install-rosetta
Linux (Firecracker backend)
- x86_64 or arm64 architecture
- KVM access (
/dev/kvmmust exist and be writable by your user) sudoprivileges (Firecracker uses jailer and TAP networking)curl,tar,e2fsprogs(formkfs.ext4,resize2fs)
Documentation
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found