Clean Mac runs for agents.

cove turns Apple Silicon Macs into repeatable macOS runs for agents, CI, and computer-use evals that need native apps, files, permissions, screenshots, and clean rollback.

Request access Read docs Compare runtimes

basemacos-15:clean

fork132-140 ms

agentreachable

artifactslocal

telemetrynone

v0.6.0 shipped surface

132-140 ms stopped-parent fork evidence

macOS 14+ Apple Silicon host floor

zero telemetry local-first posture

Decision guide

When the workload needs macOS state.

Containers are a strong default for Linux services, CLIs, and many browser or code tasks. cove is for the narrower case where the run needs macOS itself: native apps, permissions, screenshots, files, installers, browser state, Keychain-adjacent workflows, and a clean reset on Apple Silicon the operator controls.

Containers fit when

The workload is a Linux service, CLI, or browser task.
Process isolation is enough.
The run does not need macOS desktop state or Apple frameworks.

Use cove when

The run needs a real Mac, not a Linux container.
An agent or test may touch files, preferences, permissions, apps, screenshots, or secrets.
You need fork/restore plus one local evidence bundle after the run.

Other platforms fit when

Mass cloud capacity where managed Mac fleets are the main problem.
Low-sensitivity code execution that already fits a cloud sandbox.
A public registry or fleet platform before those gates clear.

Local fork/restore loop

base

Install and prepare a known-good macOS guest.

snapshot

Save named disk and VM state for repeatable starts.

fork

Clone the child in milliseconds, then run the job.

discard

Keep artifacts and audit records; throw away residue.

$ cove run -fork-from macos-15:clean -ephemeral
fork: 132-140 ms from stopped parent on M4 Max
agent: reachable in 10.788 s
artifacts: ~/.vz/runs/<run-id>/

Shipped local Mac isolation, with supportability hardening in progress. cove runs on macOS 14+ on Apple Silicon and already covers ScreenCaptureKit migration work, secret-safe guest commands, private CI migration support, CLI robustness, and local fork/restore evidence. The next hardening pass improves first-run checks, support bundles, structured JSON errors, runner scaffolding, trace/recording export, and Linux runtime paths. Public registry, signed channels, and any v1 announce under the cove name remain gated.

Agents need computers that reset cleanly.

The hard part of computer-use automation is not only clicking the right button. It is returning the machine to a known state after the agent misclicks, sees sensitive data, writes a file, changes a preference, or leaves a daemon behind. cove treats the Mac as a repeatable runtime: start from a named clean point, let the workload touch a real desktop, keep the run record, and throw away the child machine.

Where cove fits

Mac virtualization is real. cove is narrower on purpose.

Tart, Lume, Anka, and Orka validate Mac VMs on Apple Silicon. Browser and code sandboxes validate disposable agent runtimes. cove sits between those worlds: local Mac execution for sensitive agent, eval, CI, and desktop workflows where the operator owns the hardware and the run record.

CI fleets

Tart, Anka, and Orka are built around Mac VM images, CI integrations, and fleet orchestration.

Use them when the primary job is scaling Apple build infrastructure. cove starts with repeatable fork/restore runs, local artifacts, and privacy-sensitive automation on Macs the team already controls.

Agent sandboxes

Cua, Lume, E2B, and Daytona make isolated agent environments easier to provision.

Those are strong defaults when cloud execution is acceptable. cove is for cases where browser state, desktop files, credentials, screenshots, or regulated data should not leave the operator's Mac boundary.

Browser infra

Browserbase and Steel solve durable browser sessions, proxies, observability, and web automation scale.

cove is not a browser fleet. It is the Mac underneath when the workflow reaches native apps, installers, files, permissions, ScreenCaptureKit, or a full desktop state that must be reset.

Who it is for

Agent and computer-use evals

Run browser, desktop, and file-system work in a real Mac guest, then reset to a known state instead of trusting user-account cleanup.

Private macOS CI

Move sensitive builds and test jobs onto Macs you control, with guest command logs, secret redaction, and per-run artifacts.

Software testing on real macOS

Exercise installers, permissions, UI flows, and native integrations without turning one laptop into a long-lived pet machine.

Regulated local automation

Keep legal, healthcare, finance, and enterprise workflows on local hardware when a hosted sandbox is not acceptable.

Example runs

computer-use eval

A browser agent handles a benefits portal.

The run touches PHI, downloads PDFs, and may leave cookies or local files. cove forks from a clean guest, captures screenshots and logs, then discards the child.

clean state over account cleanup

macOS CI

A private build needs a real Mac.

Secrets are injected for the guest command, redacted from logs, and tied to a run artifact bundle. The job stays local instead of becoming another cloud Mac credential problem.

secret-env + per-run artifacts

software QA

An installer changes system state.

Permissions, LaunchDaemons, preferences, and UI state are exactly the things a test has to exercise. The VM child can become messy because the next run starts from the parent.

fork, run, discard

How it works

Create the base.
cove install, inject, run, and VZScript recipes prepare the guest on Apple Virtualization.framework.
Capture a clean point.
Disk snapshots and VM state form named lineage. The supported isolation primitive is fork/restore, not per-user soft reset.
Run the workload.
The guest-control socket handles screenshots, keyboard and mouse, file copy, one-shot shell commands, and bidirectional exec on current agents.
Keep evidence, not residue.
Runs produce manifests, event logs, stdout/stderr, and screenshots under ~/.vz/runs/<run-id>/; the ephemeral child is disposable.

Decision guide

Use cove when

The run needs a real Mac, not just a Linux container or browser tab.
The data is sensitive enough that hosted sandboxes are uncomfortable.
Rollback, screenshots, stdout/stderr, logs, and artifacts need one local bundle.
The test modifies system state, user state, permissions, files, or desktop apps.

Use a Mac CI fleet when

The main problem is hundreds of Apple build workers.
Kubernetes-native scheduling, registry distribution, and CI plugins are the center.
The workload is already comfortable inside a managed Mac cloud.

Cloud sandboxes fit when

The workload is code execution or browser automation with low data sensitivity.
Elastic capacity matters more than hardware ownership.
The audit trail can live in the sandbox provider's control plane.

What changes

Before cove

One long-lived Mac accumulates test residue.
Cleanup scripts become part of the trust boundary.
Cloud sandboxes are convenient but not acceptable for every dataset.
CI logs and screenshots scatter across unrelated systems.

With cove

Each run starts from named disk and VM state.
The isolation story is fork/restore, not best-effort deletion.
Mac workloads stay on customer-controlled Apple hardware.
Run manifests, events, stdout/stderr, and screenshots stay together.

Capabilities

Fork/restore isolation — APFS clonefile plus VZ state save/restore in one workflow; published stopped-parent fork evidence is 132-140 ms on M4 Max.
Guest control — control socket, guest agent, screenshots, keyboard/mouse, file copy, and Docker-shaped cove shell.
Secret-aware CI path — --secret-env and private cove-action secrets input route values into guest commands with run-log redaction.
Local image and build surface — local pre-baked image store, forkable images, cove build for local VM-directory bases, and cache-aware execution.
Zero telemetry posture — no usage data, crash beacons, or fleet-management cloud in the local tool.

Current boundaries

Apple Silicon host. cove v0.6 requires macOS 14.0+ on Apple Silicon for the macOS guest path.
Soft reset is not isolation. The measured soft-reset path failed as a privacy boundary; fork/restore is the supported safety story.
Public registry is not live. Local/private image transport exists; public curated registry and signed channels remain gated.
Name gate remains. The public v1 launch under the cove name waits on trademark clearance or a rename.

Diligence FAQ

How does this relate to Docker?

Docker remains the right default for Linux containers. cove covers a different part of the problem: workloads that need macOS state, native apps, installers, permissions, screenshots, files, browser sessions, and a VM child that can be discarded after the run. The product is fork/restore plus evidence on a real Mac.

Why not Tart, Lume, Anka, or Orka?

Those projects are serious Mac virtualization and orchestration systems. cove is not claiming broader fleet maturity today. The focused product is local, privacy-sensitive Mac execution with fork/restore, per-run evidence, and agent/eval ergonomics.

Why not just run the agent in the cloud?

For low-sensitivity browser or code work, cloud sandboxes are often the right answer. cove is for money, healthcare, legal, enterprise desktop, CI secret, and native Mac workflows where credentials, screenshots, local files, and logs are part of the trust boundary.

Is cove a fleet platform?

Not yet. The shipped claim is a local Mac runtime with fork/restore, guest control, private CI support, and run artifacts. Public registry, signed distribution, fleet scheduling, and a v1 launch remain gated.

cove is built for the moment an agent needs a real Mac and the operator needs a reset button they can trust.

cove is the local Mac runtime under the Caletta stack. skiff uses the same local-first posture for agent policy and network control; cove supplies the disposable Mac when the payload needs a real machine.

source private review available on request — travis@tmc.dev

docs quickstart and operating bounds; full release notes, shipped surface, and safety posture available on request

contact travis@tmc.dev