The orientation as a safe sandbox for AI / MCP tools is a very nicely packaged looking experience, and very well marketred. Congratulations! I'm still not sure why this warrants being it's own project.
Exactly my thoughts when I read the headline, after having read a similar one every few months.
However, by looking at it and playing with a few simple examples, I think this is the one that looks the closest so far.
Definitely interested to see the FS support, and also some instruction on how to customize the images to e.g. pre-install common Python packages or Rust crates. As an example, I tried to use the MCP with some very typical use-cases for code-execution that OpenAI/Anthropic models would generate for data analysis, and they almost always include using numpy or a excel library, so you very quicly hit a wall here without the ability to include libraries.
My ideal solution is non-Docker purely because I build software for other people to use. I don't want to have to tell my users "step 1: install Docker" if I can avoid it.
That looks really cool, but it's missing the one feature I want most from anything that runs a sandbox (or any security-related software): I need something which a billion dollar company with a professional security team is running in production on a daily basis.
So much of the solutions to this stuff I see come from a GitHub repo with a few dozen commits and often a README that says "do not rely on this software yet".
Definitely going to play with it a bit though, I love the idea of hooking into Apple's Hypervisor.framework (which absolutely fits my billion-dollar-company requirement.)
If you use macOS then it has a great sandboxing system built in (albeit, undocumented). Anthropic are starting to experiment with using it in Claude Code to eliminate permission prompts. Claude can choose to run commands inside the sandbox, in which case they execute immediately.
I've thought about making one of these for other coding agents. It's not quite as trivial as it looks and I know how to do it, also on Windows, although it seems quite a few coding agents just pretend Windows doesn't exist unfortunately.
The lack of documentation for that system is so frustrating! Security feature are the one thing where great documentation should be table stakes, otherwise we are left just wildly guessing how to keep our system secure!
It's an internal system that exposes implementation details all over the place, so I understand why they do it that way. You have to know a staggering amount about the architecture of macOS to use it correctly. This isn't a reasonable expectation to have of developers, hence why the formal sandbox API is exposed via a set of permissions you request and the low level SBPL is for exceptions, sandboxing OS internals and various other special cases.
Is AI a special case? Maybe! I have some ideas about how to do AI sandboxing in a way that works more with the grain of macOS, though god knows when I'll find the time for it!
Because those have different directions than microsandbox and you've already mentioned one. I want easy secure sandboxes for AI builders. IMHO, microsandbox is easier to get started with.
That said I don't think either KataContainer or Cloud Hypervisor has first-class support for macOS.
Cloud Hypervisor and Firecracker both have an excellent reputation for ultra lightweight VM's. Both are usable in the very popular Kata Containers project (as well as other upstart VM's Dragonball, & StratoVirt). In us by for example the CNCF Confidential Containers https://github.com/kata-containers/kata-containers/blob/main... https://confidentialcontainers.org/
There's also smaller efforts such as firecracker-containerd or Virtink, both which bring OCI powered microvms into a Docker like position (easy to slot into Kubernetes), via Firecracker and Cloud Hypervisor respectively. https://github.com/smartxworks/virtink https://github.com/firecracker-microvm/firecracker-container...
Poking around under the hood, microsandbox appears to use krun. There is krunvm for OCI support (includes MacOS/arm64 support!). https://github.com/containers/krunvm https://github.com/slp/krun
The orientation as a safe sandbox for AI / MCP tools is a very nicely packaged looking experience, and very well marketred. Congratulations! I'm still not sure why this warrants being it's own project.