Agents get a bash-like shell and can only call tools you provide, with constraints you define. No Docker, no subprocess, no SaaS — just pip install amla-sandbox
Agents get a bash-like shell and can only call tools you provide, with constraints you define. No Docker, no subprocess, no SaaS — just pip install amla-sandbox
While I think that with their current choice for the runtime will hit some limitations (aka: not really full Python support, partial JS support), I strongly believe using Wasm for sandboxing is the way for the future of containers.
At Wasmer we are working hard to make this model work. I'm incredibly happy to see more people joining on the quest!
Wasmer is doing great work—we're using wasmtime on the host side currently but have been following your progress. Excited to see WASM sandboxing become more mainstream for this use case.
That's true, but you'll likely need sockets, pydantic or SQLAlchemy (all of of them require heavy support on the Wasm layer!)
We implemented all the system calls necessary to make networking work (within Wasm), and dynamic linking (so you could import and run pydantic, numpy, gevent and more!)
https://labs.leaningtech.com/blog/browserpod-beta-announceme...
The main issue that I see with Browserpod is very similar to Emscripten: it's designed to work mainly in the browser, and not outside.
In my view, where Wasm really shines, is for enabling containers that work seamlessly in any of this environments: browsers, servers, or even embedded in apps :)
I've been working on a couple of things which take a very similar approach, with what seem to be some different tradeoffs:
- eryx [1], which uses a WASI build of CPython to provide a true Python sandbox (similar to componentize-py but supports some form of 'dynamic linking' with either pure Python packages or WASI-compiled native wheels) - conch [2], which embeds the `brush` Rust reimplementation of Bash to provide a similar bash sandbox. This is where I've been struggling with figuring out the best way to do subcommands, right now they just have to be rewritten and compiled in but I'd like to find a way to dynamically link them in similar to the Python package approach...
One other note, WASI's VFS support has been great, I just wish there was more progress on `wasi-tls`, it's tricky to get network access working otherwise...
[1] https://github.com/eryx-org/eryx [2] https://github.com/sd2k/conch
For `jq` specifically we use the excellent `jaq_interpret` crate: https://crates.io/crates/jaq-interpret
curl is interesting. We don't include it currently but we could do it without too much additional effort.
Networking isn't done within the wasm sandbox; we "yield" back to the the caller using what we call "host operations" in order to perform any IO. This keeps the Wasm sandbox minimal and as close to "pure compute" as possible. In fact, the only capabilities we give the WASI runtime is a method to get the current time and to generate random numbers. Since we intercept all external IO, random number generation, time, and the Wasm runtime is just for pure computation, we also get perfect reproducibility. We can replay anything within the sandbox exactly.
Your approach with brush is interesting. Having actual bash semantics rather than "bash-like" is a real advantage for complex scripts. The dynamic linking problem for subcommands is a tough one; have you looked at WASI components for this? Feels like that's where it'll eventually land but the tooling isn't there yet.
Will check out eryx and conch. Thanks for sharing!
I did something very similar to you for networking in eryx too (no networking in conch yet); defined an `eryx:net` interface in WIT and reimplemented the `urllib` module using host networking, which most downstream packages (httpx, requests, etc) use far enough down the stack. It's a tradeoff but I think it's pretty much good enough for most use cases like this, and gives the host full control which is great.
Oh full transparency, the vast majority of conch and eryx were written by Opus 4.5. Being backed by wasmtime and the rather strict Rust compiler is definitely a boon here!
One nice thing about using AgentFS as the VFS is that it's backed by sqlite so it's very portable - making it easy to fork and resume agent workflows across machines / time.
I really like Amla Sandbox addition of injecting tool calls into the sandbox, which lets the agent generated code interact with the harness provided tools. Very interesting!
westurner•1h ago
> Security model
> The sandbox runs inside WebAssembly with WASI for a minimal syscall interface. WASM provides memory isolation by design—linear memory is bounds-checked, and there's no way to escape to the host address space. The wasmtime runtime we use is built with defense-in-depth and has been formally verified for memory safety.
> On top of WASM isolation, every tool call goes through capability validation: [...]
> The design draws from capability-based security as implemented in systems like seL4—access is explicitly granted, not implicitly available. Agents don't get ambient authority just because they're running in your process.
westurner•1h ago
>> How to run vscode-container-wasm-gcc-example with c2w, with joelseverin/linux-wasm?
> linux-wasm is apparently faster than c2w.
container2wasm issue #550: https://github.com/container2wasm/container2wasm/issues/550#...
vscode-container-wasm-gcc-example : https://github.com/ktock/vscode-container-wasm-gcc-example
Cloudflare Runners also run WASM; with workerd:
cloudflare/workerd : https://github.com/cloudflare/workerd
...
"Cage" implements ARM64 MTE Memory Tagging Extensions support for WASM with LLVM emscripten iirc:
- "Cage: Hardware-Accelerated Safe WebAssembly" (2024) https://news.ycombinator.com/item?id=46151170 :
> [ llvm-memsafe-wasm , wasmtime-mte , ]
souvik1997•1h ago
We differentiate from agentvm by being lightweight (~11 MB Wasm binary, compared to 173 MB for agentvm). Though there is still a lot we can learn from agentvm, thank you for sharing their project.
schmuhblaster•1h ago
westurner•1h ago
eWASM has costed opcodes. The EVM virtual machine has not implemented eWASM.
Costed opcodes in WASM for agents could incentivize efficiency
re: wasm-bpf and eWASM and the BPF verifier: https://news.ycombinator.com/item?id=42092120
ewasm docs > Gas Costs > "Gas costs of individual instructions" https://ewasm.readthedocs.io/en/mkdocs/determining_wasm_gas_...
Browser tabs could show CPU, RAM, GPU utilization;
From "The Risks of WebAssembly" (2022) https://news.ycombinator.com/item?id=32765865 :
> Don't there need to be per- CPU/RAM/GPU quotas per WASM scope/tab? Or is preventing DOS with WASM out of scope for browsers?
> IIRC, it's possible to check resource utilization in e.g. a browser Task Manager, but there's no way to do `nice` or `docker --cpu-quota` or `systemd-nspawn --cpu-affinity` to prevent one or more WASM tabs from DOS'ing a workstation with non-costed operations.
Presumably workerd supports resource quotas somehow?
From 2024 re: Process isolation in browsers : https://news.ycombinator.com/item?id=40861851 :
> From "WebGPU is now available on Android" [...] (2022) :
>> What are some ideas for UI Visual Affordances to solve for bad UX due to slow browser tabs and extensions?
>> UBY: Browsers: Strobe the tab or extension button when it's beyond (configurable) resource usage thresholds
>> UBY: Browsers: Vary the {color, size, fill} of the tabs according to their relative resource utilization
souvik1997•45m ago
Agreed on WASI maturity. We're hoping the component model lands in a stable form soon. Would love to see the ecosystem converge so these approaches can interoperate.
syrusakbary•37m ago
Let me know if you need any help using it!