microsandbox
Advanced tools
Lightweight VM sandboxes for Node.js — run AI agents and untrusted code with hardware-level isolation.
Lightweight VM sandboxes for Node.js — run AI agents and untrusted code with hardware-level isolation.
The microsandbox npm package provides native bindings to the microsandbox runtime. It spins up real microVMs (not containers) in under 100ms, runs standard OCI (Docker) images, and gives you full control over execution, filesystem, networking, and secrets — all from a simple async API.
| Platform | Architecture | Package |
|---|---|---|
| macOS | ARM64 (Apple Silicon) | @superradcompany/microsandbox-darwin-arm64 |
| Linux | x86_64 | @superradcompany/microsandbox-linux-x64-gnu |
| Linux | ARM64 | @superradcompany/microsandbox-linux-arm64-gnu |
Platform-specific binaries are installed automatically via optional dependencies.
npm install microsandbox
The postinstall script automatically downloads the msb binary and libkrunfw library to ~/.microsandbox/.
import { Sandbox } from "microsandbox";
// Create a sandbox from an OCI image.
const sandbox = await Sandbox.create({
name: "my-sandbox",
image: "alpine",
cpus: 1,
memoryMib: 512,
});
// Run a command.
const output = await sandbox.shell("echo 'Hello from microsandbox!'");
console.log(output.stdout());
// Stop the sandbox.
await sandbox.stopAndWait();
import { Sandbox } from "microsandbox";
const sandbox = await Sandbox.create({
name: "exec-demo",
image: "python",
replace: true,
});
// Collected output.
const result = await sandbox.exec("python3", ["-c", "print(1 + 1)"]);
console.log(result.stdout()); // "2\n"
console.log(result.code); // 0
// Shell command (pipes, redirects, etc.).
const output = await sandbox.shell("echo hello && pwd");
console.log(output.stdout());
// Full configuration.
const configured = await sandbox.execWithConfig({
cmd: "python3",
args: ["script.py"],
cwd: "/app",
env: { PYTHONPATH: "/app/lib" },
timeoutMs: 30000,
});
// Streaming output.
const handle = await sandbox.execStream("tail", ["-f", "/var/log/app.log"]);
let event;
while ((event = await handle.recv()) !== null) {
if (event.eventType === "stdout") process.stdout.write(event.data);
}
await sandbox.stopAndWait();
const fs = sandbox.fs();
// Write and read files.
await fs.write("/tmp/config.json", Buffer.from('{"debug": true}'));
const content = await fs.readString("/tmp/config.json");
// List a directory.
const entries = await fs.list("/etc");
for (const entry of entries) {
console.log(`${entry.path} (${entry.kind})`);
}
// Copy between host and guest.
await fs.copyFromHost("./local-file.txt", "/tmp/file.txt");
await fs.copyToHost("/tmp/output.txt", "./output.txt");
// Check existence and metadata.
if (await fs.exists("/tmp/config.json")) {
const meta = await fs.stat("/tmp/config.json");
console.log(`size: ${meta.size}, kind: ${meta.kind}`);
}
import { Sandbox, Volume, Mount } from "microsandbox";
// Create a 100 MiB named volume.
const data = await Volume.create({ name: "my-data", quotaMib: 100 });
// Mount it in a sandbox.
const writer = await Sandbox.create({
name: "writer",
image: "alpine",
volumes: { "/data": Mount.named(data.name) },
replace: true,
});
await writer.shell("echo 'hello' > /data/message.txt");
await writer.stopAndWait();
// Mount the same volume in another sandbox (read-only).
const reader = await Sandbox.create({
name: "reader",
image: "alpine",
volumes: { "/data": Mount.named(data.name, { readonly: true }) },
replace: true,
});
const output = await reader.shell("cat /data/message.txt");
console.log(output.stdout()); // "hello\n"
await reader.stopAndWait();
// Cleanup.
await Sandbox.remove("writer");
await Sandbox.remove("reader");
await Volume.remove("my-data");
import { Sandbox, NetworkPolicy } from "microsandbox";
// Default: public internet only (blocks private ranges).
const publicOnly = await Sandbox.create({
name: "public",
image: "alpine",
});
// Fully airgapped.
const isolated = await Sandbox.create({
name: "isolated",
image: "alpine",
network: NetworkPolicy.none(),
});
// Unrestricted.
const open = await Sandbox.create({
name: "open",
image: "alpine",
network: NetworkPolicy.allowAll(),
});
// DNS filtering.
const filtered = await Sandbox.create({
name: "filtered",
image: "alpine",
network: {
blockDomains: ["blocked.example.com"],
blockDomainSuffixes: [".evil.com"],
},
});
const sandbox = await Sandbox.create({
name: "web",
image: "python",
ports: { "8080": 80 }, // host:8080 -> guest:80
});
Secrets use placeholder substitution — the real value never enters the VM. It is only swapped in at the network layer for HTTPS requests to allowed hosts.
import { Sandbox, Secret } from "microsandbox";
const sandbox = await Sandbox.create({
name: "agent",
image: "python",
secrets: [
Secret.env("OPENAI_API_KEY", {
value: process.env.OPENAI_API_KEY!,
allowHosts: ["api.openai.com"],
}),
],
});
// Guest sees: OPENAI_API_KEY=$MSB_OPENAI_API_KEY (a placeholder)
// HTTPS to api.openai.com: placeholder is transparently replaced with the real key
// HTTPS to any other host with the placeholder: request is blocked
Modify the filesystem before the VM boots:
import { Patch, Sandbox } from "microsandbox";
const sandbox = await Sandbox.create({
name: "patched",
image: "alpine",
patches: [
Patch.text("/etc/greeting.txt", "Hello!\n"),
Patch.mkdir("/app", { mode: 0o755 }),
Patch.text("/app/config.json", '{"debug": true}', { mode: 0o644 }),
Patch.copyDir("./scripts", "/app/scripts"),
Patch.append("/etc/hosts", "127.0.0.1 myapp.local\n"),
],
});
Sandboxes in detached mode survive the Node.js process:
// Create and detach.
const sandbox = await Sandbox.createDetached({
name: "background",
image: "python",
});
await sandbox.detach();
// Later, from another process:
const handle = await Sandbox.get("background");
const reconnected = await handle.connect();
const output = await reconnected.shell("echo reconnected");
const sandbox = await Sandbox.create({
name: "tls-inspect",
image: "python",
network: {
tls: {
bypass: ["*.googleapis.com"],
verifyUpstream: true,
interceptedPorts: [443],
},
},
});
import { Sandbox, allSandboxMetrics } from "microsandbox";
const sandbox = await Sandbox.create({
name: "metrics-demo",
image: "python",
});
// Per-sandbox metrics.
const m = await sandbox.metrics();
console.log(`CPU: ${m.cpuPercent.toFixed(1)}%`);
console.log(`Memory: ${(m.memoryBytes / 1024 / 1024).toFixed(1)} MiB`);
console.log(`Uptime: ${(m.uptimeMs / 1000).toFixed(1)}s`);
// All sandboxes at once.
const all = await allSandboxMetrics();
for (const [name, metrics] of Object.entries(all)) {
console.log(`${name}: ${metrics.cpuPercent.toFixed(1)}%`);
}
import { isInstalled, install } from "microsandbox";
if (!isInstalled()) {
await install(); // Downloads msb + libkrunfw to ~/.microsandbox/
}
| Class | Description |
|---|---|
Sandbox | Live handle to a running sandbox — lifecycle, execution, filesystem |
SandboxHandle | Lightweight database handle — use connect() or start() to get a live Sandbox |
ExecOutput | Captured stdout/stderr with exit status |
ExecHandle | Streaming execution handle — call recv() for events |
ExecSink | Writable stdin channel for streaming exec |
SandboxFs | Guest filesystem operations (read, write, list, copy, stat) |
Volume | Persistent named volume |
VolumeHandle | Lightweight volume handle from the database |
| Class | Description |
|---|---|
Mount | Volume mount configuration — Mount.bind(), Mount.named(), Mount.tmpfs() |
NetworkPolicy | Network presets — NetworkPolicy.none(), NetworkPolicy.publicOnly(), NetworkPolicy.allowAll() |
Secret | Secret entry — Secret.env(name, options) |
| Interface | Description |
|---|---|
SandboxConfig | Sandbox creation configuration |
ExecConfig | Full command execution options (cmd, args, cwd, env, timeout, tty) |
NetworkConfig | Network policy with rules, DNS blocking, TLS interception |
MountConfig | Volume mount (bind, named, or tmpfs) |
PatchConfig | Pre-boot filesystem modification |
VolumeConfig | Volume creation options (name, quota, labels) |
SecretEntry / SecretEnvOptions | Secret binding to env var with host allowlist |
ExecEvent | Stream event: "started", "stdout", "stderr", "exited" |
ExitStatus | Exit code and success flag |
FsEntry / FsMetadata | Filesystem entry info and metadata |
SandboxInfo | Sandbox listing info (name, status, timestamps) |
SandboxMetrics | Resource metrics (CPU, memory, disk I/O, network I/O, uptime) |
TlsConfig | TLS interception options (bypass domains, upstream verification) |
| Function | Description |
|---|---|
isInstalled() | Check if msb and libkrunfw are available |
install() | Download and install runtime dependencies |
allSandboxMetrics() | Get metrics for all running sandboxes |
| Enum | Values |
|---|---|
LogLevel | "trace", "debug", "info", "warn", "error" |
PullPolicy | "always", "if-missing", "never" |
Apache-2.0
FAQs
Lightweight VM sandboxes for Node.js — run AI agents and untrusted code with hardware-level isolation.
The npm package microsandbox receives a total of 535 weekly downloads. As such, microsandbox popularity was classified as not popular.
We found that microsandbox demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
Campaign of 108 extensions harvests identities, steals sessions, and adds backdoors to browsers, all tied to the same C2 infrastructure.
Security News
OpenAI rotated macOS signing certificates after a malicious Axios package reached its CI pipeline in a broader software supply chain attack.
Security News
Open source is under attack because of how much value it creates. It has been the foundation of every major software innovation for the last three decades. This is not the time to walk away from it.