StrideLabs
Tools from the lab · stridelabs.ai Built with agents
Dev environments · Go

Shed

Cross-platform microVM environments with an agent-forward design.

Run coding agents inside microVMs (Firecracker on Linux, Apple Virtualization on macOS) on your laptop or a fleet of servers over Tailscale. Build a standard base environment you can SSH into anywhere, with host-side credential brokering, local mounts, persistent sessions, and plans that can run unattended.

$ brew install charliek/tap/shed
shed
$ shed create review --repo charliek/prox --server mini-2
booting Firecracker microVM on mini-2 ... ready
brokering creds: docker, ssh  (brokered on host) ✓
$ shed attach review --plan ./refactor-plan.md -d
shipped plan → ~/.claude/plans/plan-refactor.md
running unattended · watch at claude.ai/code (rc-9f2a)
$ shed list
NAME    SERVER  BACKEND      STATUS
review  mini-2  firecracker  running
01

Overview

Shed is a way to run coding agents in real isolation, on the machine that makes the most sense for the job. Each environment, a “shed”, is a microVM: Firecracker on Linux, Apple Virtualization on macOS Apple Silicon. You create one from a standard base environment with a directory or repo mounted in and an agent like Claude Code or OpenCode already installed, then SSH into it on your own machine or on a server elsewhere on your network.

The part I care most about is how it handles trust. Instead of copying API keys and SSH keys into every environment, a host-side broker lends a shed the credentials you already have (AWS, Docker, SSH) without mounting them in: the keys stay on your machine, and every use is audited. SSH adds detailed per-request approval, gated by Touch ID on macOS through the shed-desktop app, while AWS and Docker are allow-or-deny for now. Named egress profiles go a step further and limit what a shed can reach on the network, so an agent you have sandboxed only talks to what you allow.

Because a shed can live on another machine, it works as well across a fleet as on your laptop. I run them on Linux mini-PCs over Tailscale and point work at whichever has capacity. You can SSH in directly, connect an IDE over Remote-SSH (Cursor, VS Code, Zed, JetBrains), and the VM and its tmux session keep running after you disconnect. You can also hand a shed a plan with shed attach --plan and let the agent execute it unattended while you watch from claude.ai/code.

Under the hood it is three pieces: the shed CLI on your machine, a shed-server daemon on each host that runs the VMs and serves an HTTP API plus an SSH server, and an optional shed-host-agent for credential brokering (part of shed-extensions, paired with the shed-desktop app on macOS). Both backends boot from layered OCI images pulled registry-direct, which is what keeps spinning one up cheap. The server binds to loopback by default, and facing the network is an explicit opt-in with a secure mode behind it (pinned TLS, minted bearer tokens, an SSH key allowlist).

02

Where it stands

Shed is the most ambitious tool in the lab right now, and the one with the most churn. It pairs naturally with Roost: run an agent in a shed and drive it from a Roost project tab. It is single-user today, though auth landed recently as a first step toward more, and it is still alpha software while the desktop, mobile, extension, egress, and plan workflows settle. The goal is to make running an agent in isolation on any of my machines feel as easy as running one on my main machine; the core primitives are the part to watch.

What it does

Shed

Real VM isolation

Each shed is a genuine VM (Firecracker on Linux, Apple Virtualization on macOS Apple Silicon), not a container sharing a kernel, and no docker-in-docker. The right boundary for running an agent you want kept fenced in.

Credentials it uses but never holds

A host-side broker lends a shed your AWS, Docker, and SSH credentials without mounting them into the VM. The agent's git push or docker pull just works, the keys stay on your machine, and every use is audited. SSH adds detailed per-request approval, gated by Touch ID on macOS through the shed-desktop app.

Egress filtering

Named egress profiles control what a shed can reach on the network, so a sandboxed agent only talks to the hosts you allow. Profiles are editable at runtime and re-push to running sheds.

Hand off a plan

shed attach --plan ships a plan into a shed and lets Claude run it unattended, printing a claude.ai/code URL you can watch and steer from. Your laptop can close while it works.

Local or remote, one CLI

Run sheds on your own machine or on a fleet of servers over Tailscale (home mini-PCs, a cloud VPS), all from one CLI, pointing work at whichever host has capacity.

SSH access, persistent sessions

SSH into a shed like any other machine, or connect Cursor, VS Code, Zed, or JetBrains over Remote-SSH. The VM and its tmux session keep running after you disconnect, so you reconnect exactly where you left off.