01
Real hardware isolation
Every sandbox is its own KVM microVM with its own Linux kernel. A guest escape has to beat the hypervisor — not just a namespace it shares with the host.
Run agent code in a microVM,
not a container.
A local-first, open-source runtime that runs AI-agent tool calls in isolated Firecracker microVMs — real hardware isolation, not a shared kernel.
emberd — localhost:7777
$ curl -X POST :7777/sandboxes
{ "id": "sb_c1728b82ac4f" } # boots a microVM · ~450 ms
$ curl -X POST :7777/sandboxes/sb_c17.../exec \
-d '{"code":"print(6*7)"}'
{ "stdout": "42\n", "exit_code": 0 }
$ curl -X DELETE :7777/sandboxes/sb_c17...
204 No Content # VM gone, overlay discarded
$
/ Measured on the reference host
- ≈450 ms
- Cold boot
- 256 MiB
- Guest RAM
- 1 : 1
- VM per sandbox
- None
- Network by default
/ Why a microVM
02
Serving in ~450 ms
A custom Go initramfs boots an overlayfs root and switch_roots in. create blocks on a vsock readiness probe, so a returned sandbox is usable on the very first exec.
03
A control plane you can read
Length-prefixed JSON over a vsock socket — no IP stack. v0.1 sandboxes run with no network device at all, and PID 1 reaps orphaned processes so nothing leaks.
Boot your first sandbox.
Three endpoints. One daemon. Runs on your machine.