// the find
superradcompany/microsandbox
🧱 secure, local and programmable sandboxes for AI agents
Microsandbox spins up microVMs (via libkrun) in under 100ms, exposing them through Rust/Python/TypeScript SDKs and a CLI. It's aimed at AI agent workloads where you need hardware-level isolation for untrusted code execution without managing separate infrastructure. Runs rootless on Linux/KVM or Apple Silicon macOS.
- Architecture is genuinely well-decomposed: separate crates for network, filesystem, image, protocol, and runtime mean you can audit the security boundary code without wading through application logic.
- The custom filesystem stack (memfs, passthroughfs, dualfs with OCI layer merge) is non-trivial work and has real test coverage including concurrency, xattr, whiteout, and policy tests — not just happy-path smoke tests.
- The secrets-that-never-enter-the-VM feature via TLS MITM proxy in the network crate is a clever design — secrets are injected at the network layer so even a compromised VM can't read them from memory or environment.
- Multi-language SDK support (Rust, Python, TypeScript) with consistent API shapes and the MCP server integration makes this immediately usable for current AI agent tooling without glue code.
- Hard platform requirement (KVM on Linux or Apple Silicon macOS) is a real deployment constraint — no x86 macOS, no Windows, no cloud VMs without nested virt support. The README buries this as a footnote.
- Still beta at v0.3.x with an explicit 'expect breaking changes' warning, and the agentd crate is excluded from the workspace Cargo.toml which suggests the VM-side agent daemon has a separate, less-tracked release cycle.
- No observable network policy enforcement documentation — the policy crate exists and tests reference domain_policy, but there's no clear explanation of what isolation guarantees hold if the VM has unrestricted outbound access by default.
- Windows is listed as a topic tag but there's no KVM equivalent path documented for Windows, making it misleading for anyone who sees that tag and assumes cross-platform support.