展示HN:机器 – 每个项目一个虚拟机
大家好!<p>我意识到在我的Mac上直接运行编码项目并不是很安全。最近发生的NPM攻击,尤其是与代理编码相关的攻击——你总是距离灾难只有一次npm install的距离。<p>因此,我构建了一个名为machine的小型命令行工具,它为你的每个项目启动一个Lima虚拟机。它支持声明式的“配置文件”,类似于你的虚拟机的package.json。默认配置文件包含Node.js、git、Docker、Claude Code和Codex等标准工具。<p>如果你与团队共享projects.toml,团队中的每个开发者都可以通过一个命令启动整个开发环境。无需手动安装开发工具、克隆代码库或执行npm install。<p>另一个很酷的功能是,你可以使用原生的MacOS钥匙串或1password将SSH签名转发到虚拟机。因此,每当你需要提交或推送代码时,只需触碰Touch ID键,就会完成签名。SSH密钥不会离开主机。<p>环境变量和密钥的处理方式也是如此。你只需在虚拟机启动时通过1password用一个命令注入它们,它们不会被存储在文件中。<p>代码库:<a href="https://github.com/katspaugh/machine" rel="nofollow">https://github.com/katspaugh/machine</a><p>我非常期待你的反馈!
查看原文
Hi all!<p>I realized it’s really not secure to run coding projects directly on my Mac. All the NPM hacks recently, especially with agentic coding — you’re always one npm install away from a disaster.<p>So I’ve built a small CLI called machine that starts a Lima VM for each of your projects. It supports declarative “profiles” which are like package.json for your VM. The default profile comes with standard stuff like Node.js, git, Docker, Claude Code and Codex.<p>If you share your projects.toml with your team, every developer can spin up your team’s entire dev environment with one command. No need to install dev tools, clone repos, npm install anything manually.<p>Another cool thing is that you can use the native MacOS keychain or 1password to forward SSH signatures to the VM. So every time you need to commit or push code, you touch the Touch ID key and it’s signed. SSH keys never leave the host.<p>The same is done for env variables and secrets. You inject them with one command from 1password when the machine starts and they are never stored in a file.<p>Repo: <a href="https://github.com/katspaugh/machine" rel="nofollow">https://github.com/katspaugh/machine</a><p>Genuinely curious about your feedback!