microsandbox

microsandbox is a secure sandbox runtime designed for AI agents, leveraging microVM technology for hardware-level isolation where each sandbox runs its own independent Linux kernel, protecting against namespace escape vulnerabilities while achieving sub-100ms startup times.

Core Isolation & Security

• microVM virtualization via libkrun with per-sandbox independent kernels, fully isolated from the host kernel
• Non-leaking secret mechanism: secret values never enter the VM; random placeholders are used internally, with real values substituted by the host side only when requests target allowed destinations. Automatically blocks DNS rebinding and cloud metadata endpoints (169.254.169.254)
• Programmable networking: user-space network stack based on smoltcp where every packet leaving the sandbox passes through a host-side controllable stack, supporting IP/DNS/HTTP-level policy control

Image & Filesystem

• OCI compatible: supports standard container images from Docker Hub, GHCR, ECR, GCR and any OCI-compatible registry with automatic shared layer deduplication
• Image storage uses VMDK + EROFS fsmeta for block-device-backed rootfs
• Supports host directory mounts, managed volumes, and custom filesystem backends
• Snapshot & reuse: capture stopped sandbox writable layers as portable artifacts; subsequent sandboxes boot from snapshots skipping the installation phase

Deployment Model

• Runtime embeds directly as a child process of the host application — no daemon architecture, no root required, no background services
• Supports Linux (KVM) and macOS (Apple Silicon)
• Detached mode available for long-running sessions

Developer Experience

• Multi-language SDKs (Rust, TypeScript, Python) with consistent APIs
• Full-featured CLI tool msb covering sandbox/image/volume lifecycle management
• AI Agent integration: MCP Server (microsandbox-mcp) and Agent Skills compatible with Claude Code, Cursor, Codex, Gemini CLI, GitHub Copilot and other mainstream AI coding assistants

Typical Use Cases

• AI Agent code execution sandbox: run untrusted code in isolated VMs, preventing prompt injection from compromising the host
• Zero-leak credential management: Agent calls external APIs without exposing secrets to sandbox-internal code
• Local isolated dev & test: quickly spin up isolated environments from OCI images
• CI/CD lightweight parallel builds: sub-100ms microVM startup for parallelized build tasks
• Multi-agent collaboration: each agent gets an isolated environment with snapshot-based reuse of pre-configured setups

Current Status: Beta (v0.4.5); programmable networking and extensible filesystem backends marked as coming soon; Windows support status unconfirmed.