Full power.
Full safety.
No compromise.

The sandbox runtime that ends the AI agent dilemma — agents run without restrictions, your host stays completely untouched.

Get Started GitHub →

YOUR HOST Mac Mini · localhost

SANDBOX

NO HOST NET NO HOST FS CREDS SAFE

🛡

HOST UNTOUCHED

agent ran free · host saw nothing

How It Works

One daemon, many sandboxes, unlimited agents

Start Daemon

One daemon per host. Manages all networks, mounts, and credentials.

1 HOST → 1 DAEMON

Create Sandboxes

One daemon creates N isolated sandboxes. Each has its own network and filesystem.

1 DAEMON → N SANDBOXES

Run Agents

Each sandbox runs M agents. Claude Code, Codex, or any CLI — all in parallel.

1 SANDBOX → M AGENTS

Get Results

Agents deliver code, commits, PRs back to host. Sandboxes destroyed — host untouched.

M RESULTS → HOST · SANDBOX → ∅

Core Features

Everything your agents need. Nothing your host risks.

Unrestricted Agents

Agents install anything, run anything, break anything — inside the sandbox. Zero permission prompts. Zero manual approvals. Full autonomy.

$ npm install tensorflow-gpu

✓ 847 packages installed

$ python train.py --epochs 500

✓ Running at full speed...

$ curl api.openai.com/v1/chat

✓ Internet open — host safe

Complete Host Isolation

No host filesystem access. No host network access. No exceptions. A bad agent command destroys only the sandbox — never your machine.

Credential Inheritance

SSH agent forwarding and GitHub CLI auth inherited automatically. Claude Code and Codex work immediately — no manual token wiring.

Internet Fully Open

Agents freely download packages, call external APIs, clone repos. Internet is open — your internal network is permanently blocked.

Local-First

Runs on your machine. Zero latency, zero cost, data never leaves. Same daemon and SDK work in cloud deployments when you need to scale.

Security Model

Every guarantee is enforced by the platform — not reliant on agent behavior

Layer	Mechanism	Status
Host network	Each sandbox gets its own isolated Docker network. Cannot reach `localhost`, host services, or the local network.	blocked
Internet access	Agents freely download packages, call APIs, clone repos, and interact with the outside world.	open
Host filesystem	Zero access by default. Only explicitly declared mounts are allowed; the daemon rejects anything unsafe.	invisible
Credentials	Only daemon-defined shortcuts (SSH forwarding, gh CLI auth) can enter. Fixed rules — no arbitrary host path passthrough.	minimal
Cleanup	All runtime resources (containers, networks, filesystem state) fully removed on delete. No orphans, no leaks.	complete

Why Not Built-in Sandboxes?

Codex and Claude Code both have sandboxes. Neither actually solves the dilemma.

	Codex danger-full-access	Claude Code --dangerously-skip-permissions	agents-sandbox
git commit / push	✓ Works	✓ Works	✓ Works
Install deps, build, test	✓ Works	✓ Works	✓ Works
Approval prompts	✗ None — all bypassed	✗ None — all bypassed	✓ None needed
Host filesystem	Fully read & writable	Fully read & writable	Invisible — declared mounts only
Other projects on machine	Readable & writable	Readable & writable	Invisible
Credential exposure	Inherits full host env	Inherits full host env	SSH agent & gh CLI only
Host network	Fully exposed	Fully exposed	Blocked — internet open
Blast radius of a bad command	Entire host machine	Entire host machine	Disposable sandbox only
Host safety	None	None	Full — host untouched

Quick Start

Pull the runtime image and start sandboxing your agents in minutes

$ docker pull ghcr.io/agents-sandbox/coding-runtime:latest $ pip install agents-sandbox $ python -c " import asyncio from agents_sandbox import AgentsSandboxClient async def main(): async with AgentsSandboxClient() as client: sb = await client.create_sandbox( image='ghcr.io/agents-sandbox/coding-runtime:latest', ) result = await client.run(sb.sandbox_id, ('python', '-c', 'print(\"hello from sandbox\")')) print(result.stdout) asyncio.run(main())"

View full documentation →