Working in the MicroVM
mvmctl is the local sandbox management surface. It builds images, boots microVMs, runs commands, transfers files, forwards ports, captures logs, and moves sandboxes through pause, cold, resume, stop, and destroy-style workflows.
Common lifecycle
Section titled “Common lifecycle”mvmctl build ./my-appmvmctl up ./my-app --name agent-sandboxmvmctl exec agent-sandbox -- python /work/task.pymvmctl logs agent-sandbox -fmvmctl down agent-sandboxManagement tasks
Section titled “Management tasks”| Task | Start here |
|---|---|
| Understand sandbox states and transitions | Lifecycle states |
| Run commands and processes | Run commands & processes |
| Move files across the host/guest boundary | Filesystem operations |
| Expose services or constrain egress | Network & exposing ports |
| Keep state across runs | Persistence, pause & resume |
| Save and recover machine state | Cold mode and Snapshots |
Security posture
Section titled “Security posture”- Build inputs are materialized before runtime launch.
- Runtime guests boot through explicit backend selection and local admission.
- Guest operations go through the control plane rather than broad host access.
- Logs, file transfer, and snapshots can carry sensitive data and should be handled as such.
- Network access should be explicit for agent and browser workloads.
Local first
Section titled “Local first”The local workflow should be complete on its own: build, launch, inspect, debug, pause, recover, and remove state from the host you control. Hosted or fleet layers can build on the same semantics later, but the local management commands are the baseline.