Sandbox types
mvm exposes one secure runtime substrate: a built artifact booted in a
microVM with explicit policy, audit, and lifecycle state. Product-facing SDKs
can layer specialized helpers over that substrate.
Type matrix
Section titled “Type matrix”| Type | Best for | Current path | SDK status |
|---|---|---|---|
| General sandbox | Commands, files, services, long-running work. | mvmctl build, mvmctl up, mvmctl exec, mvmctl fs, mvmctl logs. | Partial Python/TypeScript runtime surface. |
| Code sandbox | Short code execution and interpreter-style tools. | mvmctl run -- <cmd> or a named Python manifest. | Planned convenience helper. |
| Browser sandbox | Browser automation with Playwright/Puppeteer-like tooling. | Build a browser-capable Nix image, run automation inside the guest, forward explicit ports if needed. | Planned high-level helper. |
| Desktop sandbox | GUI or computer-use workflows. | Backend- and image-specific today; use explicit images and port/console access. | Planned high-level helper. |
| Builder sandbox | Secure Linux image construction. | Project builder VM and persistent builder controls. | CLI-first today. |
General sandbox
Section titled “General sandbox”Use this for the broad lifecycle:
mvmctl init ./worker --preset pythonmvmctl build ./workermvmctl up ./worker --name workermvmctl exec worker -- python /work/task.pySecurity properties:
- guest code runs in a microVM backend where supported;
- host files enter only through explicit transfer, mounts, or build inputs;
- network exposure and port forwarding are explicit;
- audit records connect build, admission, launch, and lifecycle operations.
Code sandbox
Section titled “Code sandbox”Use one-shot execution when state should not persist:
mvmctl run --timeout 10 -- python -c 'print(2 + 2)'Use a named sandbox when state is intentional:
mvmctl up ./python-tool --name pytoolmvmctl exec pytool -- python /work/cell.pySecurity requirements for SDK helpers:
- bounded input size;
- timeout required or defaulted;
- output capture bounded and redacted before model use;
- no implicit network or secrets.
Browser sandbox
Section titled “Browser sandbox”Browser automation needs more policy than a normal command:
- browser packages declared in the Nix image;
- target domains allowed explicitly;
- downloads treated as untrusted files;
- cookies, profiles, cache, local storage, and screenshots treated as sensitive state;
- snapshots used only when retaining browser state is intentional.
See Browser automation.
Desktop sandbox
Section titled “Desktop sandbox”Desktop or computer-use workflows need a display server, input events, and a viewing/control channel. Keep these workflows development- or task-scoped until the high-level SDK helper has explicit policy and tests.
Security requirements:
- no host desktop sharing by default;
- credentials injected only through reviewed paths;
- downloads and clipboard content treated as sensitive;
- remote viewing exposed only through explicit ports or endpoints.
See Desktop automation.
Builder sandbox
Section titled “Builder sandbox”The builder VM is not the runtime guest. It is the controlled Linux boundary for Nix evaluation, image builds, and microVM-specific tooling. Runtime guests boot the resulting artifacts.
See Builder VM.