// the find
boxlite-ai/boxlite
Compute substrate for AI agents: lightweight enough to live on your laptop, elastic enough to scale into the cloud and unleash unlimited resources.
BoxLite runs OCI containers inside lightweight VMs, giving AI agents a sandboxed execution environment with actual kernel-level isolation rather than just namespaces. Unlike ephemeral sandboxes, Boxes are stateful — packages and files persist across stop/restart, so an agent can build up environment state over multiple sessions. SDKs for Python, Node.js, Rust, Go, and C wrap a REST API that ships in the same binary.
Hardware isolation via KVM/Hypervisor.framework means a container escape in the guest doesn't reach the host — that's a meaningful security boundary that cgroups/namespaces alone don't give you. The stateful Box model is a real differentiator: most sandbox tools are ephemeral or require you to reconstruct state on every run, which is wasteful and slow for long-running agent tasks. The no-daemon embedded-library design avoids a privileged background service — your process creates and manages Boxes directly, which simplifies deployment. Secret placeholder injection at the network level lets the guest make authenticated HTTP calls without the agent code seeing the actual credentials, which is the right way to handle secrets in untrusted execution environments.
The KVM requirement on Linux is a hard blocker in most CI environments and shared cloud VMs — GitHub Actions runners and standard Docker-in-Docker setups don't have /dev/kvm access, so you can't use this without nested virtualization or dedicated hosts. Intel Mac is 'coming soon', which locks out a non-trivial slice of the developer population. The Go SDK requires CGO and a separate prebuilt native library download step, which breaks cross-compilation and adds friction in containerized Go builds. Looking at the directory tree, there's a full NestJS SaaS backend with organizations, regions, runners, API keys, OIDC, and audit logs living in the same repo — the local-first pitch is real, but it reads as a loss-leader for the cloud product, and if the commercial side diverges the open-source runtime could get less attention.