Self-hosted coding agent with microVM sandboxes and a native iOS and macOS app.
This fork exists to make Netclode easier to self-host and operate on a single server. It' being heavilly developped, so expect bugs.
- Simpler deployment: replaces the original Kubernetes+Ansible-oriented deployment path with a Docker Compose workflow that is easier to understand, debug, and maintain.
- BoxLite-based sandboxes: runs sandboxes with BoxLite in direct Docker/host deployments, avoiding the operational overhead of a full K8scluster.
- Client compatibility: keeps the control-plane protocol and core behavior aligned so existing upstream-style clients can still work against this fork.
Sandboxing in this fork is based on BoxLite microVMs, with the current tradeoffs documented here:
In short:
- sandboxes run inside BoxLite VMs (you still need virtualization enabled!)
- storage is backed by QCOW2 disks
- pause/continue is currently a VM turn on/off with persistent volume (to be turned into a real snapshop once the Boxlite Go SDK matures)
- snapshots don't currently work (also TBD when Boxlite Go SDK matures)
- network isolation is designed for practical self-hosted hygiene, not hostile multi-tenant strong isolation, tailnet isolation currently doesn't work, this could change depending on future Boxlite features
If you are evaluating this fork for production use, read the BoxLite sandbox docs first.
I wanted a self-hosted Claude Code environment I can use from my phone, with the UX I actually want. The existing cloud coding agents were a bit underwhelming when I tried them, so I built my own!
I wrote a blog post about how it works: Building a self-hosted cloud coding agent.
- Full yolo mode - Docker, root access, install anything. The microVM handles isolation
- Local inference with Ollama - Run models on your own GPU, nothing leaves your machine
- Tailnet integration - Preview URLs, port forwarding, access to my infra through Tailscale
- JuiceFS for storage - Storage offloaded to S3. Paused sessions cost nothing but storage
- Live terminal access - Drop into the sandbox shell from the app
- Session history - Auto-snapshots after each turn. Roll back workspace and chat to any previous point
- GitHub integration - Clone private repos, push commits, create PRs. Per-repo scoped tokens generated on demand via a GitHub App
- GitHub Bot - @mention on PRs/issues to spin up a sandbox and get a response as a comment. Auto-reviews dependency update PRs from Dependabot/Renovate
- Multiple SDKs & providers - Claude Code, OpenCode, Copilot, Codex SDKs with Anthropic, OpenAI, Mistral, Ollama, and more
- Secrets can't be stolen - API keys never enter the sandbox. A proxy injects them on the fly for allowed hosts
flowchart LR
subgraph CLIENT["Client"]
APP["iOS / macOS<br/><sub>SwiftUI</sub>"]
end
subgraph VPS["VPS - k3s"]
TS["Tailscale Ingress<br/><sub>TLS - HTTP/2</sub>"]
CP["Control Plane<br/><sub>Go</sub>"]
BOT["GitHub Bot<br/><sub>Go</sub>"]
REDIS[("Redis<br/><sub>Sessions</sub>")]
POOL["agent-sandbox<br/><sub>Warm Pool</sub>"]
JFS[("JuiceFS")]
subgraph SANDBOX["Sandbox - Kata VM<br/><sub>Cloud Hypervisor</sub>"]
AGENT["Agent<br/><sub>Claude / OpenCode / Copilot / Codex SDK</sub>"]
DOCKER["Docker"]
end
end
GH["GitHub Webhooks"]
S3[("S3")]
LLM["LLM APIs"]
APP <-->|"Connect RPC<br/>HTTPS/H2"| TS
TS <-->|"Connect RPC<br/>h2c"| CP
GH -->|"Webhooks"| BOT
BOT <-->|"Connect RPC<br/>h2c"| CP
CP <-->|"Redis Streams"| REDIS
CP <-->|"Connect RPC<br/>gRPC/h2c"| AGENT
POOL -.->|"allocate"| SANDBOX
JFS <--> SANDBOX
JFS <-->|"POSIX on S3"| S3
AGENT --> LLM
The control plane grabs a pre-booted Kata VM from the warm pool (so it's instant), forwards prompts to the agent SDK inside, and streams responses back. Redis persists events so clients can reconnect without losing anything.
When pausing, the VM is deleted but JuiceFS keeps everything in S3: workspace, installed tools, Docker images, SDK session. Resume mounts the same storage and the conversation continues as if nothing happened. Session metadata such as model selection, SDK type, tailnet access, and custom sandbox resources are also persisted so resumed sessions come back with the same runtime configuration. Dozens of paused sessions cost practically nothing.
| Layer | Technology | Purpose |
|---|---|---|
| Host | Linux VPS + Ansible | Provisioned via playbooks |
| Orchestration | k3s | Lightweight Kubernetes, nice for single-node |
| Isolation | Kata Containers + Cloud Hypervisor | MicroVM per agent session |
| Storage | JuiceFS → S3 | POSIX filesystem on object storage |
| State | Redis (Streams) | Real-time, streaming session state |
| Network | Tailscale Operator | VPN to host, ingress, sandbox previews |
| API | Protobuf + Connect RPC | Type-safe, gRPC-like, streams |
| Control Plane | Go | Session and sandbox orchestration |
| Agent | TypeScript/Node.js | SDK runner inside sandbox |
| GitHub Bot | Go | Webhook-driven bot for @mentions and dep reviews |
| Secret Proxy | Go | Injects API keys outside the sandbox |
| Local LLM | Ollama | Optional, local models on GPU |
| Client | SwiftUI (iOS 26) | Native iOS/macOS app |
| CLI | Go | Debug client for development |
netclode/
├── clients/
│ ├── ios/ # iOS/Mac app (SwiftUI)
│ └── cli/ # Debug CLI (Go)
├── services/
│ ├── control-plane/ # Session orchestration (Go)
│ ├── agent/ # SDK runner (Node.js)
│ │ └── auth-proxy/ # Adds SA token to requests (Go)
│ ├── github-bot/ # GitHub webhook bot (Go)
│ └── secret-proxy/ # Injects real API keys (Go)
├── proto/ # Protobuf definitions
├── infra/
│ ├── ansible/ # Server provisioning
│ └── k8s/ # Kubernetes manifests
└── docs/
See docs/deployment.md for full setup. I tried to make it as easy as possible: ideally a single playbook run.
Quick version:
- Provision a VPS with nested virtualization support
- Run Ansible playbooks to provision the server
- Configure secrets (API keys, S3 credentials, Tailscale OAuth)
- Deploy k8s manifests
- Connect via Tailscale and you're good to go
- Deployment - Full setup
- Operations - Day-to-day management
- Sandbox Architecture - Kata VMs, JuiceFS, warm pool
- Session Lifecycle - How sessions work
- Session History - Snapshots and rollback
- GitHub Integration - Clone repos and push commits
- GitHub Bot - @mention bot and dependency review automation
- Network Access - Internet and Tailnet access control
- Secret Proxy - API key protection architecture
- Web Previews - Port exposure via Tailscale
- Terminal - Live shell access
- SDK Support - Claude, OpenCode, Copilot, Codex
- Agent Events - Event types and streaming
- iOS App
- CLI - Debug CLI
- Control Plane
- Agent
- Infrastructure
All videos from the blog post:
No cold start, sandboxes are pre-booted
warm-pool-instant-start.mp4
Older sessions are automatically paused to save resources. Resume brings everything back instantly
session-pause-resume.mp4
Run models on your own GPU
netclode-demo-local-inference-ollama.mp4
Instant sandbox access from the terminal, inspired by sprites.dev
cli-shell-demo.mp4
| Git diff view Diff view with multi-repo support ios-git-diff-view.mp4 |
Live terminal Drop into the sandbox shell from iOS ios-live-terminal.mp4 |
| Speech input Speech recognition for prompts ios-speech-demo.mp4 |
Tailscale port preview Expose sandbox ports to the tailnet tailscale-port-preview.mp4 |