Running a container inside a non-privileged microVM, on an Apple Silicon Mac (opens in new tab)

If you let an AI agent run arbitrary code — npm install, a test suite, docker build, a Playwright run — you are running untrusted code, and a shared-kernel container is not a boundary against it. The boundary you want for "tenant A's agent must not reach tenant B" is a VM, per run. Kata Containers gives you that: a pod that is transparently a microVM with its own kernel. But the verify stage wants to run containers (Testcontainers, docker build, a DB container). So you need nested containers ...