Sandboxes

Agents run in isolated sandboxes. Four implementations with increasing isolation levels.

DevSandbox

Plain process spawn. No isolation.

┌──────────────────────────┐
│        Host OS           │
│  ┌────────┐  ┌────────┐  │
│  │ Agent  │  │ Proxy  │  │
│  └────────┘  └────────┘  │
└──────────────────────────┘

Isolation: None Use case: Local development only Platform: Any OS

LinuxSandbox

Linux namespaces with seccomp BPF filtering.

┌──────────────────────────┐
│        Host OS           │
│  ┌────────────────────┐  │
│  │ Namespace (PID,NET,│  │
│  │ MNT,USER)          │  │
│  │ ┌────────┐ ┌─────┐ │  │
│  │ │ Agent  │ │Proxy│ │  │
│  │ └────────┘ └─────┘ │  │
│  │ + seccomp BPF      │  │
│  │ + cgroups v2       │  │
│  └────────────────────┘  │
└──────────────────────────┘

Isolation:

PID namespace: agent sees only its own processes
Network namespace: isolated network stack
Mount namespace: restricted filesystem view
User namespace: unprivileged inside sandbox
Seccomp: syscall allowlist
Cgroups: CPU/memory limits

Use case: Production, UDS mode agents Platform: Linux only

ContainerSandbox

LinuxSandbox plus veth pair for transparent mode.

┌──────────────────────────────────────┐
│            Host OS                   │
│  ┌────────────────────────────────┐  │
│  │ Namespace                      │  │
│  │ ┌────────┐    ┌─────┐         │  │
│  │ │ Agent  │───►│Proxy│──► inet │  │
│  │ └────────┘    └─────┘         │  │
│  │      │                        │  │
│  │   veth ◄─── iptables DNAT     │  │
│  └────────────────────────────────┘  │
└──────────────────────────────────────┘

Additional features:

veth pair: vh-{id} (host) / vs-{id} (sandbox)
iptables DNAT: redirects all TCP to proxy
DNS stub resolver: only resolves allowed domains

Use case: Production, transparent mode agents Platform: Linux only

FirecrackerSandbox

Firecracker microVM with vsock communication.

┌───────────────────────────────────────┐
│             Host OS                   │
│  ┌─────────────────────────────────┐  │
│  │ Firecracker microVM             │  │
│  │ ┌────────┐                      │  │
│  │ │ Agent  │◄───► vsock ◄───► Proxy (host)
│  │ └────────┘                      │  │
│  │ Minimal Linux kernel            │  │
│  └─────────────────────────────────┘  │
└───────────────────────────────────────┘

Isolation: Hardware-level via KVM Use case: High-security requirements Platform: Linux with KVM Tier: Paid plans only

Hull0

Sandboxes

DevSandbox

LinuxSandbox

ContainerSandbox

FirecrackerSandbox