# zerocore-ai/microsandbox **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/zerocore-ai-microsandbox).** 4,802 stars · 221 forks · Rust · apache-2.0 ## Links - GitHub: https://github.com/zerocore-ai/microsandbox - Homepage: https://docs.microsandbox.dev - awesome-repositories: https://awesome-repositories.com/repository/zerocore-ai-microsandbox.md ## Topics `agents` `ai` `ai-generated` `container` `docker` `fly` `linux` `macos` `mcp` `orchestration` `python` `sandbox` `sandboxing` `security` `self-hosted` `virtualization` `vm` ## Description microsandbox is a platform that runs untrusted code inside hardware-isolated microVMs, each with its own kernel, filesystem, and network stack. It boots directly from standard OCI container images, supports copy-on-write filesystem layers, and integrates with AI agents to execute tool calls and generated code in isolated environments with secret protection. What sets microsandbox apart is its host-side network proxy that enforces firewall rules, intercepts DNS, inspects TLS traffic, and injects secrets at the network boundary without exposing them inside the VM. It provides SSH access to microVMs without requiring an SSH daemon inside the guest, and can capture, export, and boot from filesystem snapshots for state preservation and replication. The platform also surfaces typed error objects across SDKs for precise failure matching. Beyond core isolation, microsandbox includes full sandbox lifecycle management — creation, graceful shutdown, force termination, replacement, and state deletion — along with configurable storage attachments, interactive terminal sessions, command execution with streaming output, and metric export via OpenTelemetry to backends like Datadog and Prometheus. The engine deploys as a Docker container from multi-arch images and is configured through a JSON settings file. ## Tags ### DevOps & Infrastructure - [Code Execution Sandboxes](https://awesome-repositories.com/f/devops-infrastructure/execution-environments/code-execution-runtimes/code-execution-sandboxes.md) — Boots microVMs from OCI images and runs commands with instant startup in isolated environments. ([source](https://docs.microsandbox.dev/getting-started/introduction.md)) - [Execution Sandboxes](https://awesome-repositories.com/f/devops-infrastructure/execution-sandboxes.md) — Creates temporary sandboxes for single commands and removes them automatically after completion. ([source](https://docs.microsandbox.dev/cli/sandbox-commands.md)) - [Sandbox Lifecycle Management](https://awesome-repositories.com/f/devops-infrastructure/sandbox-lifecycle-management.md) — Terminates sandboxes gracefully with configurable timeout or force-kills immediately. ([source](https://docs.microsandbox.dev/cli/sandbox-commands.md)) - [Snapshot Capture and Restoration Managers](https://awesome-repositories.com/f/devops-infrastructure/sandbox-lifecycle-management/snapshot-capture-and-restoration-managers.md) — An artifact manager that captures, exports, imports, and boots sandboxes from filesystem snapshots for state preservation and replication. - [Docker-in-VM Launchers](https://awesome-repositories.com/f/devops-infrastructure/execution-sandboxes/hypervisor-level-docker-sandboxes/docker-in-vm-launchers.md) — Starts a Docker daemon inside a hardware-isolated VM for running Docker commands. ([source](https://docs.microsandbox.dev/recipes/docker/docker-in-sandbox.md)) - [PTY Session Attachers](https://awesome-repositories.com/f/devops-infrastructure/git-command-execution/interactive-command-sandboxes/pty-session-attachers.md) — Attaches local terminals to processes inside sandboxes for fully interactive PTY sessions. ([source](https://docs.microsandbox.dev/sandboxes/commands.md)) - [Sandbox](https://awesome-repositories.com/f/devops-infrastructure/graceful-shutdowns/sandbox.md) — Sends a shutdown signal allowing pending writes to flush before terminating a sandbox. ([source](https://docs.microsandbox.dev/sdk/typescript/sandbox.md)) - [Host-Guest Mounts](https://awesome-repositories.com/f/devops-infrastructure/volume-mounts/host-guest-mounts.md) — The sandbox platform attaches a host directory at a guest path so the sandbox can read and write files that persist on the host. ([source](https://docs.microsandbox.dev/sandboxes/volumes.md)) ### Security & Cryptography - [MicroVM Sandboxes](https://awesome-repositories.com/f/security-cryptography/application-and-system-security/sandbox-and-isolation/isolated-execution-sandboxes/microvm-sandboxes.md) — Isolates each workload in a dedicated virtual machine with its own kernel, filesystem, and network stack. ([source](https://docs.microsandbox.dev/sandboxes/overview.md)) - [Host-Side Sandbox Proxies](https://awesome-repositories.com/f/security-cryptography/firewalls/host-side-sandbox-proxies.md) — A host-side firewall that controls network access, intercepts DNS, inspects TLS traffic, and injects secrets without exposing them to the sandbox. - [Daemonless SSH Proxies](https://awesome-repositories.com/f/security-cryptography/secure-ssh-access/remote-command-execution-and-file-transfers/daemonless-ssh-proxies.md) — A microVM that exposes SSH protocol for commands, interactive shells, and file transfers without requiring an SSH daemon inside the guest. - [Public Internet Only Outbound Policies](https://awesome-repositories.com/f/security-cryptography/network-isolation/public-internet-only-outbound-policies.md) — The sandbox platform restricts outbound network traffic from untrusted workloads to the public internet, blocking host or private networks. ([source](https://docs.microsandbox.dev/networking/security-model.md)) - [Sandbox State Logs](https://awesome-repositories.com/f/security-cryptography/sandboxing/sandbox-state-management-systems/sandbox-state-logs.md) — Lists all sandboxes with current status and reads captured output from any sandbox. ([source](https://docs.microsandbox.dev/sandboxes/lifecycle.md)) - [Snapshot-Based Boots](https://awesome-repositories.com/f/security-cryptography/sandboxing/sandbox-state-management-systems/snapshot-based-boots.md) — Boots new sandboxes from saved filesystem snapshots, restoring state for reuse or replication across hosts. ([source](https://docs.microsandbox.dev/sandboxes/snapshots.md)) - [SSH](https://awesome-repositories.com/f/security-cryptography/secure-ssh-access/protocol-proxies/ssh.md) — Maps standard SSH sessions into the sandbox by proxying the protocol directly, no guest daemon required. - [Sandbox Exclusion Lists](https://awesome-repositories.com/f/security-cryptography/security/infrastructure-and-hardware/infrastructure-system-hardening/execution-sandboxes/sandbox-security-configurations/sandbox-exclusion-lists.md) — Lists running, stopped, and crashed sandboxes and retrieves handles to specific ones. ([source](https://docs.microsandbox.dev/sdk/python/sandbox.md)) - [Authorized Key Injectors](https://awesome-repositories.com/f/security-cryptography/ssh-key-management/authorized-key-injectors.md) — Adds public keys to sandbox authorized_keys files for passwordless SSH authentication. ([source](https://docs.microsandbox.dev/cli/ssh-commands.md)) ### Artificial Intelligence & ML - [AI Agent Tooling](https://awesome-repositories.com/f/artificial-intelligence-ml/agentic-systems-frameworks/integration-deployment/ai-agent-tooling.md) — The sandbox platform executes AI agent tool calls and generated code inside a dedicated microVM that controls filesystem, network, and secrets. ([source](https://docs.microsandbox.dev/getting-started/agents.md)) - [AI Agent Integrations](https://awesome-repositories.com/f/artificial-intelligence-ml/ai-agent-integrations.md) — The sandbox platform integrates AI coding agents so they create and manage sandboxes via installed skills or an MCP server. ([source](https://cdn.jsdelivr.net/gh/zerocore-ai/microsandbox@main/README.md)) - [MicroVM Agent Sandboxes](https://awesome-repositories.com/f/artificial-intelligence-ml/ai-execution-sandboxes/microvm-agent-sandboxes.md) — An execution environment that integrates with AI agents to run tool calls and generated code inside isolated microVMs with secret protection. ### Development Tools & Productivity - [Sandbox Environment Snapshots](https://awesome-repositories.com/f/development-tools-productivity/browser-environment-deployment-templates/sandbox-templates/snapshot-templating/sandbox-environment-snapshots.md) — Captures the writable filesystem of a stopped sandbox as a portable on-disk artifact. ([source](https://docs.microsandbox.dev/sandboxes/snapshots.md)) - [Sandbox Configuration](https://awesome-repositories.com/f/development-tools-productivity/sandboxed-execution-environments/sandbox-configuration.md) — Inspects full sandbox configuration and runtime state, outputting as formatted text or JSON. ([source](https://docs.microsandbox.dev/cli/sandbox-commands.md)) - [Sandboxed Shell Executions](https://awesome-repositories.com/f/development-tools-productivity/shell-command-execution/sandboxed-shell-executions.md) — Runs commands inside active sandboxes with TTY, environment, workdir, timeouts, and resource limits. ([source](https://docs.microsandbox.dev/cli/sandbox-commands.md)) - [Real-Time Output Streaming](https://awesome-repositories.com/f/development-tools-productivity/real-time-output-streaming.md) — Streams command stdout and stderr as real-time events instead of buffering output. ([source](https://docs.microsandbox.dev/sandboxes/commands.md)) - [SFTP Subsystems](https://awesome-repositories.com/f/development-tools-productivity/remote-file-transfers/sftp-subsystems.md) — The sandbox platform performs file operations such as reading, writing, creating directories, and managing symlinks over SFTP to a sandbox. ([source](https://docs.microsandbox.dev/sandboxes/ssh.md)) ### Networking & Communication - [Host-Side Network Proxies](https://awesome-repositories.com/f/networking-communication/network-infrastructure-routing/network-proxying-tools/network-proxy-management/host-instance-proxies/host-side-network-proxies.md) — Routes all sandbox traffic through a host-side stack for firewall enforcement, TLS inspection, and secret injection. - [Network Policy Enforcement](https://awesome-repositories.com/f/networking-communication/network-policy-enforcement.md) — The sandbox platform controls sandbox network traffic through allow/deny rules with configurable defaults and first-match-wins evaluation. ([source](https://docs.microsandbox.dev/networking/overview.md)) - [Sandbox SSH Servers](https://awesome-repositories.com/f/networking-communication/sandbox-ssh-servers.md) — The sandbox platform serves a sandbox over SSH protocol, enabling external clients to connect, transfer files, or tunnel TCP connections. ([source](https://docs.microsandbox.dev/cli/ssh-commands.md)) - [SSH Client Connections](https://awesome-repositories.com/f/networking-communication/ssh-client-connections.md) — Establishes SSH connections to microVMs for interactive shells and remote command execution. ([source](https://docs.microsandbox.dev/cli/ssh-commands.md)) - [Service Port Forwarding](https://awesome-repositories.com/f/networking-communication/service-port-forwarding.md) — Forwards local TCP connections into sandbox networks using OpenSSH port forwarding. ([source](https://docs.microsandbox.dev/sandboxes/ssh.md)) ### Operating Systems & Systems Programming - [OCI Image Root Filesystems](https://awesome-repositories.com/f/operating-systems-systems-programming/root-filesystem-generators/root-filesystem-bootstrapping/root-filesystem-source-selectors/oci-image-root-filesystems.md) — Boots each sandbox from a standard OCI container image pulled from any registry, using copy-on-write layers. - [CBOR-Framed Relay Protocols](https://awesome-repositories.com/f/operating-systems-systems-programming/virtualization-emulation/virtualization-platforms/virtualization-technologies/virtual-machines/virtual-machine-specifications/guest-agent-hooks/cbor-framed-relay-protocols.md) — Communicates with an in-VM agent over a relay socket using raw CBOR messages with correlation IDs. - [Pre-Boot Filesystem Patchers](https://awesome-repositories.com/f/operating-systems-systems-programming/root-filesystem-generators/root-filesystem-bootstrapping/pre-boot-filesystem-patchers.md) — Modifies the root filesystem before boot to add, replace, or remove files without altering the base image. ([source](https://docs.microsandbox.dev/sandboxes/customize.md)) - [Root Filesystem Source Selectors](https://awesome-repositories.com/f/operating-systems-systems-programming/root-filesystem-generators/root-filesystem-bootstrapping/root-filesystem-source-selectors.md) — Sets the sandbox's root filesystem from an OCI image, host bind mount, or pre-made disk image. ([source](https://docs.microsandbox.dev/sdk/python/images.md)) - [Virtual Disk Image Booting](https://awesome-repositories.com/f/operating-systems-systems-programming/virtual-disk-image-booting.md) — Boots sandboxes directly from disk image files, giving the guest raw block device access. ([source](https://docs.microsandbox.dev/images/disk-images.md)) ### Software Engineering & Architecture - [Hardware-Level Isolation](https://awesome-repositories.com/f/software-engineering-architecture/execution-control/namespace-isolation/namespace-provisioners/container-isolation/hardware-level-isolation.md) — Runs each untrusted workload inside a dedicated VM with its own kernel, filesystem, and network stack. ([source](https://docs.microsandbox.dev/)) - [MicroVM Spawners](https://awesome-repositories.com/f/software-engineering-architecture/integration-extensibility/workflow-automation-integrations/external-application-integrations/child-process-execution/dynamic-server-spawning/microvm-spawners.md) — Spawns hardware-isolated VMs as child processes directly from application code without a daemon. ([source](https://docs.microsandbox.dev/sdk/overview)) - [Network Boundary Secret Injections](https://awesome-repositories.com/f/software-engineering-architecture/provider-abstractions/secret-injection-layers/network-boundary-secret-injections.md) — Injecting secrets into sandboxes by swapping placeholders with real values only when traffic reaches allowed hosts, keeping secrets outside the VM. - [Sandbox](https://awesome-repositories.com/f/software-engineering-architecture/architectural-design-patterns/state-management/persistence-and-serialization/state-serialization/state-snapshots/sandbox.md) — Captures the writable disk state of a stopped sandbox as a portable artifact for later reuse or transfer. ### Part of an Awesome List - [MicroVM Attachments](https://awesome-repositories.com/f/awesome-lists/devops/disk-image-management/microvm-attachments.md) — The sandbox platform mounts a prebuilt disk image as a block device inside the sandbox for dedicated persistent storage. ([source](https://docs.microsandbox.dev/sandboxes/volumes.md)) ### Business & Productivity Software - [Host Transfers](https://awesome-repositories.com/f/business-productivity-software/file-browsers/sandbox/host-transfers.md) — The sandbox platform transfers files in either direction between the host and a sandbox, including same-sandbox and cross-sandbox copies. ([source](https://docs.microsandbox.dev/cli/sandbox-commands.md)) ### Data & Databases - [Host-Guest Channels](https://awesome-repositories.com/f/data-databases/data-engineering-infrastructure/data-persistence-storage/data-storage/file-based-storage/local-file-storage/sandboxed-file-systems/host-guest-channels.md) — The sandbox platform reads from and writes to files inside a running sandbox using the dedicated host-guest channel. ([source](https://docs.microsandbox.dev/sdk/python/sandbox.md)) - [MicroVM Volume Attachments](https://awesome-repositories.com/f/data-databases/external-storage-integrations/volume-mounts/microvm-volume-attachments.md) — The sandbox platform attaches a named volume to a microVM so files written inside are retained across executions. ([source](https://docs.microsandbox.dev/sdk/rust/volumes.md)) - [Multi-Backend Storage Mounts](https://awesome-repositories.com/f/data-databases/file-storage-systems/filesystem-mounts/mount-namespace-virtualization/tmpfs-root-sandbox-execution/virtual-directory-mounts/multi-backend-storage-mounts.md) — The sandbox platform mounts host directories, named volumes, tmpfs, or disk images to specified paths inside a sandbox. ([source](https://docs.microsandbox.dev/sdk/go/volumes.md)) - [Named Volume Lifecycles](https://awesome-repositories.com/f/data-databases/persistent-storage-volumes/named-volume-lifecycles.md) — The sandbox platform creates, accesses, and deletes named storage volumes that persist independently of any sandbox run. ([source](https://docs.microsandbox.dev/cli/overview.md)) ### System Administration & Monitoring - [Init Systems](https://awesome-repositories.com/f/system-administration-monitoring/administrative-operations/linux-system-administration/init-systems.md) — Launches systemd as PID 1 inside microVMs so services expecting a session bus work normally. ([source](https://docs.microsandbox.dev/recipes/guest/systemd-services.md)) - [Metrics Export Health Monitors](https://awesome-repositories.com/f/system-administration-monitoring/health-monitoring/pipeline-health-monitors/metrics-export-health-monitors.md) — The sandbox platform emits export success/failure counters and staleness timestamps from the sidecar into the telemetry pipeline. ([source](https://docs.microsandbox.dev/observability/deep-dive.md)) - [Metric Tagging Utilities](https://awesome-repositories.com/f/system-administration-monitoring/logging-and-telemetry/metric-data-ingestion/metric-tagging-utilities.md) — The sandbox platform attaches resource fields, sandbox identity, and user-defined labels to every datapoint for backend filtering. ([source](https://docs.microsandbox.dev/observability/deep-dive.md)) - [OTLP Collector Forwarding](https://awesome-repositories.com/f/system-administration-monitoring/logging-and-telemetry/metric-data-ingestion/opentelemetry-ingestion/otlp-collector-forwarding.md) — The sandbox platform forwards sandbox metrics in OTLP format to an OpenTelemetry Collector for real-time debug inspection. ([source](https://docs.microsandbox.dev/recipes/metrics-backends/otel-collector.md)) - [Datadog Exporters](https://awesome-repositories.com/f/system-administration-monitoring/observability-tracing/batch-export-utilities/trace-exporters/datadog-exporters.md) — The sandbox platform sends runtime metrics to Datadog via the OpenTelemetry Protocol over HTTP or gRPC. ([source](https://docs.microsandbox.dev/recipes/metrics-backends/datadog.md)) - [OpenTelemetry Exporters](https://awesome-repositories.com/f/system-administration-monitoring/opentelemetry-exporters.md) — The sandbox platform continuously reads sandbox metrics and pushes them via OTLP to any OpenTelemetry-compatible backend. ([source](https://docs.microsandbox.dev/observability/msb-metrics.md))