NEWRead
Product · Sandboxes

Every agent gets its own Linux VM.

Running AI agents on your laptop is a leak waiting to happen. Sandboxes are isolated cloud VMs that boot in under a second, snapshot in place, and disappear when the job is done - same reproducible Linux, every single run.

Start freeRead the docs
sandbox · eu-west-1running
explorer
  • src/
  • Button.tsx
  • package.json
  • .codecourier/
  • persona.json
bash
$codecourier sandbox start
→ sb_8f3a · node-22-ts · eu-west-1 · ready in 720ms
$pnpm install
→ 482 packages installed · 6.1s
$pnpm tsc --noEmit
→ ✓ no errors
$codecourier sandbox snapshot
→ snap_8f3a saved · resumable
The problem

Local AI agents leak. Hard.

Workstation drift

Node, Python, Docker, OS patches - every dev box is a snowflake. Agents inherit that mess and your repros stop reproducing.

Secrets walk out

Agents that read your shell read your tokens, your kube config, your SSH keys. One mis-quoted command and they leave the machine.

Workstations blocked

Long-running migrations, full test suites, parallel refactors - all parked on the laptop your engineer was supposed to be coding on.

Anatomy

What is in a sandbox.

Each sandbox is a real Linux VM - not a container in a shared kernel. Six concrete components, every one of them swappable per template.

linux vmisolated
vCPU
RAM
DISK
$ uname -r
6.8.0 · ubuntu 24.04
Linux kernel
Pre-installed CLIs
Project mount
Env vars + secrets
Network egress
Snapshot layer
Templates

Start from a known state.

Templates are versioned base images. Pin a runtime, lock the toolchain, ship the same VM to every agent and every run - or build your own from a Dockerfile.

JS

Node 22 · TypeScript

Node 22, pnpm, Bun-compatible registry mirror. tsc and vitest pre-warmed.

Customize →
Py

Python 3.12 · Poetry

CPython 3.12, Poetry, uv, ruff and mypy. Pinned wheels cached on boot.

Customize →
Go

Go 1.23

Go 1.23 with module proxy, golangci-lint and air for live reloads.

Customize →
Rs

Rust 1.80

Stable Rust, cargo, clippy, rust-analyzer. sccache wired by default.

Customize →
Bn

Bun · TS

Bun runtime with the full TypeScript toolchain. Snapshot resume in under 300ms.

Customize →
···

Custom

Bring a Dockerfile or extend a base. Build once, snapshot once, share across the team.

Customize →
Speed

Fast enough to feel local.

Cold boots benchmarked on the EU and US fleets - production p95, not a marketing average.

<1s
Cold boot
300ms
Snapshot resume
16 vCPU
Up to 32 GB RAM
EU + US
Regions, more soon
File system

Files behave like a real disk.

Read, write, watch and sync - every operation streams through the same SDK, idempotent and typed.

Read and write like a real disk.

Stream bytes in, stream bytes out. Atomic writes, mtime preserved, large files chunked transparently - no special API for big payloads.

/workspace
  • src/
  • ·Button.tsxM
  • ·Card.tsx
  • ·package.json
sdk.ts
await sandbox.files.write(
  "src/Button.tsx",
  source,
);
 
const out = await sandbox.files.read(
  "src/Button.tsx"
);
Lifecycle

Pause, snapshot, resume - same VM.

Every sandbox has a deterministic lifecycle. Boot once, snapshot the warm state, then resume from that snapshot for the next run in a fraction of the cold-boot time.

Snapshots include the disk and the kernel-side state, so a 30-second toolchain install becomes a 300ms restore. Pause when the agent waits on a human; resume the instant the answer arrives.

Start
Snapshot
Pause
Resume
Kill
StartSnapshotPauseResume
Security

Built for the security review.

Isolation is the default, not a checkbox. Every sandbox is a separate VM with its own kernel, its own disk, its own egress policy.

Per-agent VM

No shared kernels, no sibling tenants. Each agent run gets a fresh Linux VM and surrenders it on teardown.

Network egress controls

Default-deny outbound. Allow-list domains per template, or open a narrow tunnel to your private services and nothing else.

Encrypted volumes

Disks are encrypted at rest with per-tenant keys. Snapshots inherit the encryption envelope and never leave your region.

Time-limited tokens

Secrets are injected as short-lived tokens, scoped to the run. They expire the moment the sandbox does - no leftover credentials.

Audit log

Every command, file write and network call is signed and shipped to an immutable log. Replay the run, forensics-grade.

SOC 2 Type II

Annual SOC 2 Type II reports, GDPR DPA on file, EU data residency by default. Procurement passes faster.

Code · TypeScript SDK

One call, one VM.

Spawn a sandbox, run a command, snapshot the state - all from typed TypeScript. No YAML, no separate scheduler, no leaky abstraction.

Sandboxes APIFile operationsManaging sandboxes
sandboxes/run-migration.ts
// Boot a sandbox, run a migration, stream the result
import { createSandbox } from "@codecourier/sdk";

const sandbox = await createSandbox({
  template: "node-22-ts",
  region:   "eu-west-1",
  cpu:      4,
  memoryMB: 8192,
  env:      { DATABASE_URL: secret("db-prod") },
});

const result = await sandbox.runCommand("pnpm db:migrate");

const snap = await sandbox.snapshot();   // → snap_8f3a
await sandbox.pause();

createSandbox returns a typed handle with files, git, network and lifecycle on it. Same shape from Node, Bun and Deno.

Playbooks

Where sandboxes earn their keep.

Parallel migrations across repos

Fan out an upgrade across forty services. Each agent gets its own VM, snapshots its work, opens its own PR.

Read the playbook →

Long-running test suites

Two-hour integration runs that never touch a developer laptop. Boot, snapshot mid-run, resume after lunch.

Read the playbook →

Untrusted-code execution

Run code you did not write - generated, scraped, contributed - without giving it your workstation or your network.

Talk to us →
Sandboxes moved the entire risk surface of our agents off engineer laptops and into a place we can actually audit. Cold-boot speed means it never feels remote - and the snapshot story alone paid for the migration.
Marcus Vidler·Platform Eng Lead · Northwind Systems
FAQ

What platform leads ask.

Where do sandboxes run physically?
Sandboxes run in our managed regions in the EU (Frankfurt, Zurich) and the US (us-east, us-west). You pin a region per template or per call, and snapshots never leave their origin region - so EU data stays in the EU by construction.
Can I bring a custom Docker image?
Yes. Templates accept any OCI-compatible image as their base. We sit on top of a hardened firecracker host, so your Dockerfile becomes a real VM image at build time - same image, same kernel, every boot.
How long do sandboxes live?
By default a sandbox lives for the duration of the run plus an idle grace window you control - typically a few minutes. You can pin a sandbox open for hours when you need it, or kill it the instant the step finishes. Snapshots persist independently.
What happens to the disk between runs?
Nothing implicit. A fresh run gets a fresh VM with the template's clean disk. To carry state forward, snapshot at the end of one run and resume from that snapshot on the next - explicit, auditable, no surprise persistence.
Can sandboxes call our private services?
Yes, through scoped tunnels. You install a lightweight connector in your VPC and grant a sandbox template access to specific internal hosts. Default-deny everywhere else - nothing leaks beyond the allow-list.
Ship safer agents

Boot your first sandbox in seconds.

Start freeRead the docs
Free for 14 days · no credit card

Hire your first AI engineer.
Ship by lunchtime.

5 minutes to onboard. First PR within an hour. Cancel anytime.

Deploy your first agentBook a 20-min demo