An imperfect, incomplete collection of projects proving the integrity of tools, tool descriptions, models, data sources, and provenance by combining isolation, sandboxing, security observability, and server-constrained or client-bound tokens. Evolved from this listicle.
- Sandboxing & Isolation
- Provenance, Instrumentation & Observability
- Secrets Management & Isolation
- Agent Identity & Credentials
- References
Projects using Linux security primitives such as bubblewrap, KVM/libkrun, Landlock, Linux namespaces, cgroups, and containers, seccomp, MicroVMs, gVisor or WebAssembly (WASM) for agent runtime sandboxing or isolation.
| Name | Keywords | Description |
|---|---|---|
| π₯ nono | Landlock, secret isolation, integrity | Combines Landlock isolation with integrity-protected configuration and OS-native secrets management, making it one of the most holistic agent sandboxing solutions. See also kubefence, an NRI plugin that transparently injects nono sandboxing into Kubernetes containers and Kata VMs. |
| π₯ e2b | Firecracker, MicroVM | Cloud-based agent sandbox infrastructure using Firecracker MicroVMs for strong hardware-level isolation between agent workloads. |
| π₯ Beams | Firecracker, delegated-identity, zero-secrets | Teleport's agent runtime using Firecracker VMs (200ms startup) with delegated short-lived identity certificates, zero secrets in the sandbox, policy-controlled egress proxy, and inference endpoint routing that injects backend credentials without exposing API keys to the agent. |
| π₯ krunai | KVM, libkrun, MicroVM, gVisor | Purpose-built agent sandbox running AI agents inside libkrun KVM microVMs, transparent user-space networking via gVisor netstack. |
| π₯ stereOS | QEMU, KVM, Nix, gVisor | Purpose-built NixOS for AI agents, support for QEMU/KVM with sub-3s boot, gVisor included for in-VM sandboxing, and vsock-based secret injection via tmpfs. See also agentd. |
| π₯ capsem | Apple Virtualization, hardened-kernel, air-gapped | macOS-native sandbox running agents in Linux VMs via Apple Virtualization.framework. Custom kernel compiled with CONFIG_INET=n (no IP stack) and CONFIG_MODULES=n (no loadable modules), read-only rootfs, BLAKE3 boot asset integrity, no systemd. |
| π₯ Docker Sandboxes | Linux namespaces, cgroups, MicroVM | Docker's purpose-built sandbox for coding agents. See also NanoClaw on Docker Sandboxes for micro VM-based per-agent isolation. |
| π₯ Anthropic's sandbox-runtime | Linux namespaces, seccomp, bubblewrap | Anthropic's experimental agent sandbox combining Linux namespaces and seccomp filters via bubblewrap for process-level isolation. |
| π₯ matchlock | Firecracker, MicroVM, gVisor | CLI and multi-language SDK for running agents in ephemeral Firecracker microVMs with host-boundary secret injection through a MITM proxy. |
| π₯ Cleanroom | Firecracker, MicroVM | Buildkite's self-hosted agent sandbox using Firecracker with host-side gateway credential injection and digest-pinned OCI images. |
| π₯ boxlite | KVM, libkrun | Lightweight VM-based sandbox for coding agents using KVM virtualization via libkrun, providing strong hardware-enforced isolation. |
| π₯ brood-box | KVM, libkrun, MicroVM, snapshot-isolation, egress-control, MCP-authz | CLI for running AI coding agents (Claude Code, Codex, OpenCode) inside libkrun KVM microVMs with COW snapshot isolation, DNS-aware egress policies, and Cedar-based MCP authorization. Built on go-microvm. |
| π₯ Agent Sandbox (k8s) | gVisor, Kata | Kubernetes SIG project combining gVisor and Kata Containers for sandboxing AI agents in cloud-native environments. |
| π₯ OpenSandbox | gVisor, Kata, Firecracker, Docker, Kubernetes | Alibaba's general-purpose sandbox platform for AI agents with multi-language SDKs, per-sandbox egress controls, ingress gateway, and secure container runtimes (gVisor, Kata, Firecracker). |
| π₯ Gondolin | MicroVM | TypeScript/Node.js agent sandbox using QEMU micro-VMs. See also the security design and repo. |
| π₯ k7 | Kata, MicroVM | Agent isolation platform using Kata Containers to add MicroVM-backed security boundaries to agent execution. |
| π₯ Hyperlight + Nanvix | MicroVM, syscall interposition | Hardware-isolated VMs via KVM or Hyper-V with millisecond cold starts and no guest OS β combined with host-side syscall interposition for 150+ syscalls via the Nanvix Rust microkernel |
| π₯ Authority Nanos | unikernel, WASM, capabilities | Unikernel-based agent execution environment built on Nanos with 14 custom syscalls for agent communication and a secondary WASM sandbox for capability-gated tool execution. |
| π₯ Leash | eBPF, LSM, Linux namespaces | Wraps AI coding agents in containers and enforces Cedar policies via eBPF LSM programs scoped to the agent cgroup plus credential injection via header rewriting. |
| π₯ secimport | eBPF, bpftrace, seccomp, nsjail | eBPF-based module-level Python sandbox that uses USDT probes to track which Python module is executing at each syscall boundary and nsjail seccomp profile generation. |
| π₯ sandlock | Landlock, seccomp, seccomp-notif | Process sandbox combining Landlock (filesystem + network + IPC), seccomp-bpf (syscall filtering), and seccomp user notification (resource limits, IP enforcement, /proc virtualization, port virtualization). No root, no cgroups, no containers. COW fork enables O(1) memory scaling β parent loads model once, children share via copy-on-write. See also the architecture blog post. |
| π₯ ironclaw | WASM, Linux namespaces, credential-injection | WASM-sandboxed tools (capability-based permissions, endpoint allowlisting), host-boundary credential injection where secrets never enter WASM memory. |
| π₯ amla-sandbox | WASM, capabilities | WASM-based agent sandbox using wasmtime with a capability-based security model that enforces per-tool method constraints, call limits, and parameter validation before any tool invocation leaves the sandbox. |
| π₯ OpenFang | WASM, taint-tracking | Uses a WASM dual-metered sandbox: wasmtime with both fuel metering and epoch interruption, backed by a watchdog thread that force-kills runaway code. Seeks to implement information flow taint tracking (secrets labelled from source to sink), Ed25519-signed agent manifests, and other techniques. |
| π₯ cua | containers, qemu | Computer-use agent SDK using Linux containers and QEMU-inside-Docker for full desktop environment isolation. See also the qemu-docker library. |
| goose + boxlite discussion | KVM, libkrun | GitHub issue discussing integration of boxlite KVM-based sandboxing into Block's goose agent framework. |
| smolVM | KVM, libkrun, MicroVM | MicroVM sandbox using libkrun and KVM with <200ms boot, network off by default, and a pack command that builds portable single-binary VMs. |
| clampdown | Landlock, seccomp, Linux namespaces, SELinux, AppArmor | Hardened container sandbox with zero-capability agent (cap-drop=ALL), Landlock V3 filesystem isolation, ~115 blocked syscalls via seccomp, mandatory OCI hooks enforcing security policy on every tool container the agent spawns and SELinux/AppArmor confinement. |
| IronCurtain | V8, Linux namespaces, bubblewrap | Multi-layer agent sandbox: Code Mode runs TypeScript in a V8 isolate with zero host access, Docker Mode runs external agents (Claude Code, Goose) in network-disabled containers. Plain-English constitution compiled into deterministic policy rules enforced on every MCP tool call, plus bubblewrap-sandboxed MCP servers. |
| monty | capabilities | Minimal secure Python interpreter written in Rust for running LLM-generated code with no host access by default β filesystem, network, and env are only available via explicitly provided external functions, with sub-microsecond startup and serializable execution state. |
| yolo-cage | Linux containers | Agents run in K8s pods inside a Vagrant VM, with a git dispatcher that classifies commands (LOCAL/BRANCH/MERGE/REMOTE_READ/REMOTE_WRITE/DENIED) and enforces per-branch isolation, a fail-closed mitmproxy egress proxy with LLM-Guard secret scanning and GitHub API operation blocking, TruffleHog pre-push hooks, and Kubernetes NetworkPolicy. |
| OpenShell | K3s, containers, credential-injection | NVIDIA's agent sandbox runtime using K3s (Kubernetes inside Docker) with four policy domains: filesystem, L7 network policy (HTTP method + path enforcement, hot-reloadable), process constraints, and a privacy router that strips agent credentials and injects backend credentials for LLM API calls. |
| agentsh | eBPF, seccomp, Linux namespaces | Shell shim, eBPF cgroup network enforcement (domain allowlisting, DNS interception), and seccomp-bpf with user-notify for signal interception and syscall blocking. |
| fence | bubblewrap, Landlock, seccomp, eBPF, Linux namespaces | Cross-platform agent sandbox using bubblewrap with Landlock, seccomp, and eBPF monitoring on Linux. |
| dyana | containers, eBPF, Tracee, Docker | Docker-based sandbox for loading, running, and profiling untrusted files (ML models, Pickle, ELF, JS) with hardened containers (cap-drop ALL, no-new-privileges, network disabled, ipc-none, mem/pid limits, tmpfs noexec) monitored by an Aqua Tracee eBPF sidecar that traces 40+ security events (fileless execution, ld_preload, code injection, syscall hooking) scoped to the target container. |
| shai | containers, Linux namespaces | Agent sandbox using container isolation with a novel cellular development model for controlled agent-driven code changes, scoping changes to discrete units. |
| Rover Sandbox | containers | Endor Labs' Rover uses Linux containers to sandbox agent tool execution within its security-focused agent framework. See also the sandbox implementation code. |
| Veto (Ona) | BPF LSM, content-addressable | Content-addressable kernel enforcement using BPF LSM: blocks executables by SHA-256 hash of binary content (not path), pre-execution with no TOCTOU gap. The deep dive on agent evasion of path-based controls is a good read for anyone working with bubblewrap. |
Other tools of potential interest include:
For a structured approach to evaluating and comparing sandboxes, The Agent Sandbox Taxonomy decomposes sandboxing into 7 defense layers (L1 Compute Isolation through L7 Observability), maps them against 7 threat categories (data exfiltration through denial of service), and scores mechanisms on strength, granularity, and portability β includes score cards for 23 products and composition patterns for stacking complementary tools.
Containers and Linux namespaces: ExitBox, code-sandboxes, Kilntainers (MCP server routing agent tool calls to Docker/Podman, E2B, Modal, or WASM sandboxes β the agent communicates with the sandbox over MCP so credentials never enter it), nanoclaw, yolobox, agentbox, construct-cli, and ctenv all rely on standard Linux container isolation. try and usand use Linux namespaces via unshare to let commands run in a contained environment. nsjail is Google's lightweight process isolation tool combining Linux namespaces, cgroups, and seccomp-bpf. sandbox (Cloudflare) provides a seccomp library for syscall filtering. systemd's exec security settings and setpriv serve as convenient declarative frontends for composing namespaces, seccomp, and capabilities.
Bubblewrap: bubblewrap is an unprivileged sandboxing tool that backs several projects listed here. It can be applied directly to Claude Code or OpenCode, with nixwrap providing a Nix-declarative wrapper, sandbox-run a minimal CLI around it, and Grauwolf's sandbox-run a per-project wrapper that isolates file writes, tmp, and tool state.
Landlock: Landlock is a stackable LSM for unprivileged filesystem and network restriction. island is the go-to sandbox tool. landrun and rstrict are CLI tools for restricting process access. Litterbox combines Landlock with Linux namespaces, and Cursor Agent Sandboxing uses Landlock, noting 40% fewer approval interruptions after teaching agents about their sandbox constraints.
Sandboxed and virtualized runtimes: gVisor intercepts Linux syscalls to shrink the attack surface for containerized workloads without full hardware virtualization. Kata Containers provide lightweight virtual machines with a standard container interface. libkrun is a library for running lightweight KVM-backed VMs that serves as the hypervisor isolation layer for boxlite, brood-box, krunai, and several other agent sandboxes in this list. go-microvm is a Go framework for running OCI images as microVMs via libkrun. styrolite is Edera's container runtime engine that runs containers inside VM guests via a type 1 paravirtualized hypervisor (see the Edera hypervisor paper). microvm.nix is a Nix Flake for declaratively building and running NixOS MicroVMs across hypervisors (cloud-hypervisor, Firecracker, QEMU, crosvm, etc.) The OpenClaw MicroVM walkthrough is a practical blog post demonstrating MicroVM-based agent sandboxing using cloud-hypervisor, with network egress logging via nftables/unbound and secret injection through virtiofs mounts.
WASM and browser-grade isolation: langchain-sandbox and Pyodide bring Python into WASM for sandboxed agent code execution; RLBox provides WASM-based library sandboxing for isolating untrusted components within a process; wassette applies WASM at fine-grained component boundaries. V8 Isolates offer a lightweight per-request isolation model as an alternative to containers or VMs. Deno Deploy Sandbox is a managed sandbox API that gives each execution a dedicated Firecracker microVM.
Projects that instrument agents for security observability, which could be useful for provenance tracking and to feed policy decision points (PDPs), including gateways, proxies, eBPF-based tools, attestation frameworks, policy engines, and tracing systems.
| Name | Keywords | Description |
|---|---|---|
| π₯ aflock | SPIFFE, in-toto, provenance, policy | Signed policy files that constrain agent behavior and produce verifiable attestations derived from model, environment, tools, policy, and parent. Facilitates key separation, SPIFFE-modeled workload attestation, and in-toto-inspired sublayouts for delegated sub-agent constraints. |
| π₯ cupcake | tracing | EQTY Lab's runtime security framework for agents providing signed execution traces and verifiable agent behavior guarantees. |
| π₯ mandible | provenance | Multi-agent coordination framework with built-in cryptographic provenance: bridge attestations create linked chains of custody across environments. Seeks to implement output-level provenance and causal lineage tracking as first-class primitives. |
| π₯ sage | observability | Hooks into agent tool calls to validate commands, URLs, file writes, and package installs against cloud-based reputation APIs, local YAML threat heuristics, and supply-chain package analysis. |
| π₯ AgentSentinel | eBPF | Real-time defense framework for monitoring and constraining agent behavior using eBPF instrumentation. See also the research paper. |
| π₯ AgentSight (eBPF) | eBPF | eBPF-based observability tool providing kernel-level tracing of agent runtime behavior without modifying the agent code. |
| π₯ membrane | eBPF, Tracee, egress-filtering | Agent-agnostic sandbox with eBPF tracing (via Tracee sidecar) logging all file, network, and process activity as structured JSONL, hostname-allowlisted egress filtering with continuous DNS refresh, filesystem masking/read-only patterns, and unprivileged Docker-in-Docker via Sysbox. |
| π₯ agentgateway | policy | Dedicated gateway for agent traffic providing centralized observability, policy enforcement, and access control at the agent boundary. |
| π₯ rover (instrumentation) | tracing, policy, sandbox | Endor Labs' security-focused agent framework with built-in tracing, policy enforcement, and sandboxed tool execution. |
| ClawShield | eBPF, iptables, proxy, OCSF | Defense-in-depth security proxy for AI agents with optional eBPF syscall monitoring, note the cross-layer event bus that helps tighten policies across layers. |
| SentinelGate | MCP, policy | Cross-platform userspace firewall for AI agents that intercepts MCP tool calls (as an aggregating proxy), shell commands, file access, and HTTP requests, enforcing RBAC and CEL-powered policies (same engine as Kubernetes/Envoy) |
| carapace | Cedar, LLM-proxy, MCP | Cedar policy enforcement for AI agents with an LLM proxy that intercepts model responses and strips denied tool calls before the agent sees them β the agent never holds the real API key. Gates MCP tools, shell commands, and API domains via Cedarling WASM (<6ms). |
| gryph | hooks, audit-trail | Local-first audit trail for AI coding agents that hooks into tool calls and logs every file read/write and command execution. |
| Arize Phoenix Tracing | tracing, observability | Arize Phoenix's LLM tracing framework providing observability into agent tool calls and execution flows. |
| agentry | tracing | Agent protocol implementation providing structured message tracing and policy hooks for securing agent-to-agent interactions. |
| dapr-a2a | observability | Dapr integration for Agent-to-Agent protocol providing service mesh-style observability and policy for inter-agent communication. |
| toolhive provenance | MCP, provenance, registry | Toolhive's registry architecture documenting how tool provenance and security metadata are tracked for MCP servers. |
| Virtual MCP Server (Stacklok) | MCP, provenance | Stacklok's unified gateway multiplexing multiple MCP servers with centralized policy and provenance verification via toolhive. |
| Agent Governance Toolkit | policy, OPA, Cedar, SPIFFE, SRE | Microsoft's runtime governance framework with deterministic policy enforcement (OPA/Rego + Cedar), Ed25519/SPIFFE agent identity, trust scoring, SRE tooling (SLOs, error budgets, chaos), and full OWASP Agentic Top 10 coverage. Multi-language (Python, TypeScript, .NET). |
Projects and technologies that credibly separate (isolate) credentials and tokens from the main agent runtime.
| Name | Keywords | Description |
|---|---|---|
| π₯ nono secrets management | keyring, OS-secure-store, Landlock | nono's secrets management layer using OS-native secure stores (e.g., keyring) to isolate credentials from the agent runtime entirely. The credential injection proxy implements a phantom token pattern where the agent only sees a per-session token and real credentials are swapped in by a host-side proxy. |
| π₯ agent-creds | Macaroons, Envoy, iptables, TLS-interception, Docker, credential-injection | Network-isolated Docker sandbox with iptables-enforced traffic routing through an Envoy TLS-intercepting proxy, where a vault service validates Macaroon tokens (scoped by host, method, path, and expiry) and injects real API credentials server-side. |
| π₯ wardgate | gateway, credential-injection, SSH, IMAP, SMTP, containers, approval-workflow | Security gateway isolating credentials; agents authenticate to the gateway with their own key while real credentials are injected server-side β combined with "conclaves" (isolated containers with per-command policy, pipeline parsing, and tool/data/network isolation) |
| π₯ Riptides on-the-wire credential injection | kernel, SPIFFE, Vault, OpenBao, credential-injection | Kernel-space interception of outbound agent requests with on-the-wire injection of Vault/OpenBao-sourced credentials via SPIFFE workload identity, ensuring secrets never materialize in agent user space. |
| clawshell | proxy, virtual-keys, DLP, Unix-permissions | Drop-in sidecar proxy for OpenClaw that maps virtual API keys to real provider credentials (stored in a Unix-permission-protected config), with regex-based DLP scanning that can block or redact PII in request/response bodies before they reach upstream LLM APIs. |
| prxlocal | proxy, secret-injection | Simple proxy-based technique for separating secrets from agent execution by intercepting requests and injecting credentials externally. |
| secretless-ai | hooks, secret-injection, keychain | Keeps credentials out of AI context windows, esp. for Claude Code it installs a PreToolUse hook that intercepts every file read, grep, glob, bash, write, and edit before execution. Supports multiple secret backends (local AES-256-GCM, OS keychain, 1Password). |
| enject | secret-isolation, CLI, subprocess-injection | Rust CLI (formerly enveil) that replaces .env plaintext values with en:// placeholder references while real values are stored in an Argon2id-derived AES-256-GCM encrypted local store. Decrypts, resolves references, injects real values into the subprocess environment, then zeroizes key material. Deliberately omits get/export commands to prevent AI-readable secret leakage. |
| airut masked secrets | proxy, masked-secrets, network-allowlist, AWS-SigV4 | mitmproxy transparently intercepts all HTTPS traffic, generates format-preserving surrogate tokens, injects them into the container's environment, and the proxy swaps surrogate β real value in outgoing request headers only for scoped hosts. |
| Tailscale Aperture | gateway, credential-injection, Tailscale, observability | Alpha LLM API gateway running on a tailnet, extracts the model name from each request body, routes to the correct provider and injects provider authentication headers server-side. |
| latchkey | credential-injection, curl, browser-login, agent-skills | TypeScript CLI that injects stored credentials into curl requests to known third-party APIs (Slack, GitHub, Discord, Linear, Google Workspace, AWS, Stripe, and ~25 more). Credentials are encrypted under ~/.latchkey using the OS keyring. |
Other secret management tools of potential interest include: sops (CNCF sandbox project, supports various KMS, passes decrypted secrets directly to subprocesses without writing them to disk), fnox, dotenvx (encrypted .env files via public/private key separation, used in PayPal's Agent Toolkit and Daytona's SDK), varlock, and envio.
Specs, proposals, reference implementations, extensions, and ideas addressing agent identity and credentials that capture provenance, intent, and integrity.
- OAuth and token standards: FAPI / RAR (RFC 9396), SD-JWT (RFC 9901), Verifiable Intent β Mastercard/Google open spec using three-layer SD-JWT delegation chains (issuer β user β agent) with 8 machine-enforceable constraint types for agent commerce authorization (blog post, site), AI Agent Auth and Authz (IETF) β Internet-Draft composing WIMSE, OAuth 2.0, Transaction Tokens, and HTTP Message Signatures into a coherent agent auth framework, CAAM (IETF) β sidecar-based Contextual Agent Authorization Mesh defining a Session Context Object (JWT/CWT with
ctxclaim) that bridges SPIFFE workload identity and IPSIE human identity with ReBAC, RATS attestation, and purpose-bound delegation, Transaction Tokens, CAEP and SSF, JWT Authorization Grants in MCP, Token Exchange in MCP - Workload identity and attestation: WIMSE, Trustworthy Workload Identity, CoSAI Remote Attestation
- Distributed policy engines (PEPs/PDPs): AuthZEN, Cedarling, casbin, Oso
- Decentralized trust registries: Trust over IP (explainer), Verifiable Trust, TRQP, Anonymous Credentials (ARC)
- Research and frameworks: Inter-Agent Trust Models, Nanda Unified Architecture, IAM for Agents, PIC Model, Agent Identity Protocol (AIP) β open standard proposed to IETF with cryptographic agent identity, AAT tokens, revocation, and policy enforcement (Go SDK), opena2a agent-identity-management, Specification Compendium (naftiko), CSA Agentic AI IAM Whitepaper, AGBAC with reference implementation.
- Forums and working groups: DIF Trusted Agents WG, DIF TAAWG Mailing List
- Also worth noting: Progressive Authentication, Capability Negotiation, EAM-SQL Safety Envelopes, Permission Protocol β fail-closed authority receipts for agent actions with SHA-256 input hashing, human-in-the-loop escalation, and CI gate templates
For a good birds-eye overview of this space, see Andrew Green's overview of agent auth solutions.
Several good ideas are also explored in blog posts and articles, including DCR for MCP, SPIFFE and OAuth, Verifiable Credentials for AI, Continuous Authorization, Delegated Authorization, Delegation patterns, Riptides, Encoding User Intent, ID-JAG, OAuth Limitations for Agents, Qualified VDRs, Agents and Payments Identity, Ambient Mesh, Token-Based Access Control, Applicability of Standards, Chaining and Nesting for Lineage, and FGA for Agent Authorization.
Papers, frameworks, and documents discussing agent runtime security, threat models, and recommended mitigations.
- Threat models and top-10 style frameworks: OWASP Top 10 Agentic, Meta: Practical AI Agent Security, AWS Agentic AI Security Matrix, AARM: Autonomous Action Runtime Management β open specification formalizing runtime interception of agent actions with threat models for prompt injection, confused deputy, and intent drift, plus four implementation architectures (protocol gateway, SDK instrumentation, kernel eBPF, vendor integration)
- MCP-focused security documents: SAFE-MCP, CoSAI MCP Security, SoK: MCP Ecosystem Security, Enterprise MCP Security Frameworks, Securing MCP: Risks, Controls, Governance, MCP Server Security Standard
- Agent communication protocol security: Security of AI Agent Communication Protocols β systematic threat modeling and risk assessment across MCP, A2A, Agora, and ANP with a measurement-driven case study on wrong-provider tool execution
- Cryptographic integrity of tools, models, and data: CoSAI Crypto Verification of Resources, CoSAI Signing ML Artifacts, SAFE-M-2 Tool Description Integrity, SAFE-M-30 Data Source Integrity, SAFE-M-34 Model Integrity
- ML lifecycle provenance: Atlas ML Provenance (CLI), OpenSSF GPU Model Integrity, OpenSSF Model Lifecycle Provenance
Surveys, guides, and foundational literature on Linux security technologies applicable to agent sandboxing.
- Sandboxing surveys and guides: Survey of Real-World Process Sandboxing, awesome-sandbox, Ikangai Sandboxing Guide
- Landlock: Landlock.io, Landlock: Idea to Implementation, Landlock integrations
- Containers and kernel security: Leveraging Kernel Security for Containers, Security Challenges in Container Cloud