Credentials never enter containers
A host-side MITM TLS proxy intercepts HTTPS and injects credentials transparently —
claude, pi, gh, git, curl,
and any other tool work unmodified, with no configuration or wrappers needed inside the environment.
Branches run with full internet, proxy-only egress, or completely airgapped.
The proxy also caches container image layers and build artifacts on the host — the same dependency is never downloaded twice.
Real machines, not process jails
Docker and Podman are built for shipping applications —
minimal filesystems, single-process isolation, fast startup.
isx solves a different problem: full system containers powered by
Incus that behave like real machines.
Each environment runs its own init system, has real networking
(ping, strace, nested Podman/Docker),
and supports GUI and audio passthrough.
Templates pre-install your baseline tools and repos, but the environment is a real Linux system —
agents and users can freely dnf install, pip install,
build from source, or run Docker Compose just like on a workstation.
For untrusted code, KVM virtual machines provide hardware-level isolation with a separate kernel.
Instant branching
Like git branch, each clone is a copy-on-write snapshot that shares storage
with its parent. Build a template once with your preferred tools and repos, then spin up
complete, disposable environments in seconds — each with its own filesystem,
networking, and process tree.
tpl-java (stopped template, ~2GB)
├── fix-nasty-bug (running, uses ~50MB extra)
├── review-pr-423 (running, uses ~30MB extra)
└── experiment (stopped, uses ~10MB extra)
Built for developer workflows
Templates are YAML: packages, tools, repos. Branch and it's all there.
Git remotes are managed automatically —
git fetch fix-auth from your host pulls commits straight out of the container.
JetBrains Gateway, shell completions, and Claude Code skills plug in via the same tool system.
# Inside the container, you make some commits...
# Back on the host:
git fetch fix-auth
git cherry-pick fix-auth/main