InstaVM – A Fully Local, Privacy-First Code Execution Platform Built for the Mac Imagine a world where your AI-powered assistant doesn’t send your data to the cloud—where every thought, every code execution, every file edit happens entirely on your machine. That’s the core vision behind InstaVM: a secure, local-first platform for AI-driven tasks with complete isolation and privacy. At its heart, InstaVM combines three key elements: a local LLM for intelligent task planning, containerized execution for safe code running, and a browser-based interface for seamless interaction—all running on Apple Silicon with zero reliance on remote services. The journey began with a simple but powerful demand: “I want everything local—no cloud, no remote code execution.” That single line exposed a deeper truth—while open-source LLMs are now abundant, true privacy requires more than just a local model. You need isolation. You need control. You need a sandboxed environment where AI-generated code can run without touching your host system. We explored multiple paths. We tried building a native Mac app using tools like a0.dev and Electron, but both proved frustrating—either platform-specific or overly complex. Eventually, we settled on a lightweight, local web interface powered by Next.js, which gave us the flexibility and simplicity we needed. For the LLM layer, we integrated multiple models via ai-sdk, allowing users to choose between local models and cloud-based ones—offering a smooth onboarding path while keeping the door open for full local autonomy as small models improve. A major hurdle was tool-calling support. While some models support it natively, Ollama hasn’t fully implemented tool calling for many of its models—even those listed as “tool-capable.” This inconsistency forced us to carefully vet models and design a flexible system that adapts to what’s available. Enter Apple’s new Container tool—our secret weapon. Unlike Docker, Apple Container provides a full VM per container, offering stronger isolation. We used it to run a Jupyter server inside a secure, ephemeral VM. We exposed this via MCP (Model Context Protocol), enabling seamless integration with tools like Claude Desktop and Gemini CLI. No API endpoints. No complex setup. Just plug and play. The result? AI-generated Python code runs safely in isolation, with the model itself never touching the host system. We also added a headless browser using Playwright, also running inside the same container. This allows the system to research online—fetching documentation, browsing GitHub, summarizing web content—while still maintaining full isolation. All user files are stored in a mapped volume: ~/.coderunner/assets on the host, mapped to /app/uploads in the container. This ensures files stay accessible and persistent, but code execution never reaches the host OS. What can InstaVM do? Edit videos using ffmpeg: “Cut the video between 0:10 and 1:00” Resize, crop, and convert images Generate and render charts from CSV data using plain English Install tools from GitHub in a sandboxed environment Research topics by fetching and summarizing web content Execute arbitrary Python code securely And yes, it even remembers your instructions—like addressing you as “Lord Voldemort” for fun, proving the system respects custom instructions. Of course, there are challenges. Apple Container is still in early stages—builds fail with “Trap” errors, hang silently, or require manual cleanup. You’ll need patience, pkill all processes, and restart. But the potential is undeniable. InstaVM isn’t just a prototype. It’s a statement: privacy and control should be the default, not the exception. While the most powerful models may remain in the cloud, we believe there’s a vital space for local tools that handle everyday tasks without compromise. We didn’t just imagine this future—we built it. And now, you can too. Check out the code at coderunner-ui on GitHub and join the movement toward local AI, real privacy, and full ownership of your data. Feedback, issues, and contributions are welcome.

InstaVM is a secure, fully local code execution platform designed for privacy-first AI workflows. The core idea was simple: run everything on your machine—no cloud, no remote execution, no data leaks. This vision required stitching together several components into a seamless, isolated system. At a high level, mainstream LLM apps like ChatGPT or Claude rely on cloud-based models and remote servers. While open-source LLMs are now available, running them locally isn’t enough. True privacy demands isolation—especially when executing code generated by the model. That’s why the stack needed to include: a local LLM for conversation, a containerized environment for safe code execution, and a browser interface for interaction. We aimed to build a system where tasks involving sensitive data—like editing personal photos or videos—could be completed entirely on-device. Even with strong security practices, cloud-based AI services have had breaches. The early ChatGPT incident, where user chats were exposed across accounts, showed how quickly trust can erode. Our stack ran entirely on Apple Silicon, using Apple’s new Container tool for isolation. Unlike Docker, Apple Container provides a full VM per container, offering stronger security boundaries—ideal for sandboxing code. We started by trying to build a native Mac app using a0.dev and later Electron with Next.js. Both attempts were frustrating. The tools didn’t adapt well to macOS, and LLMs hallucinated steps or missed platform-specific details. After days of struggle, we gave up on the native app and focused on a local web interface. The result was clean, lightweight, and fully functional. For the UI, we used Assistant-UI, but found it didn’t support multiple LLMs out of the box. We turned to ai-sdk to add model selection. We decided not to restrict users to only local models. Smaller models are still improving, so we let users experiment with both local and remote options—future-proofing the system. Tool calling was another hurdle. Many models support it, but Ollama doesn’t yet implement tool calling for all models, even if listed as such. This inconsistency made integration tricky. We had to manually verify support and adjust our workflow accordingly. The real breakthrough came with containerized code execution. Using Apple’s Container, we deployed a Jupyter server inside an isolated VM. We exposed it via MCP (Model Context Protocol), allowing tools like Claude Desktop and Gemini CLI to use it directly. The setup looked like this: mcpServers: { coderunner: { httpUrl: "http://coderunner.local:8222/mcp" } } This allowed AI-generated Python code to run securely in the VM. When we tested it, Claude automatically detected and used the execute_python_code tool—proof the system worked. We also added a headless browser using Playwright, also running in the same container. This enabled the system to research online, fetch documentation from GitHub, or summarize web content—without exposing data to external services. We mapped a volume from ~/.coderunner/assets on the host to /app/uploads in the container. This kept generated files safe and accessible, while ensuring code never touched the host system. The platform can now: - Research topics using a headless browser - Generate and render charts from CSV using natural language - Edit videos with ffmpeg (e.g., trim between 0:10 and 1:00) - Edit images (resize, crop, convert formats) - Install tools from GitHub in a sandboxed environment - Fetch and summarize web content While building it, we faced challenges—especially with Apple Container. Builds often failed with mysterious trap errors or hung silently. The fix? Kill all container processes, clear the buildkit image, restart, and retry. Repeat until it works. It took hours, but the isolation benefits are worth it. This isn’t just a prototype. It’s a statement: privacy and control should be possible without sacrificing functionality. While the most powerful models may remain in the cloud, we believe local tools can handle everyday tasks securely. We built it. Now you can too. Check out coderunner-ui on GitHub to get started. We welcome feedback, issues, and contributions.