goose icon indicating copy to clipboard operation
goose copied to clipboard
Published 1 week ago verified publisher icon block

Add BoxLite as a sandbox option for secure AI agent execution

Open DorianZheng opened this issue 2 weeks ago • 3 comments

Summary

I'd like to propose BoxLite as a sandbox solution for Goose. This relates to #5943 which discusses sandbox support options.

What is BoxLite?

BoxLite is an embeddable virtual machine runtime that provides hardware-level isolation without the complexity of traditional VMs or Docker:

  • Hardware Isolation — Each sandbox runs in a separate micro-VM with its own kernel, not just namespaces
  • No Daemon Required — Embeddable library, no root/Docker daemon needed
  • Cross-Platform — macOS (Apple Silicon) and Linux (x86_64, ARM64)
  • OCI Compatible — Use any Docker image (python:slim, node:alpine, etc.)
  • Fast Startup — Sub-second boot times with lightweight VMs
  • Native Rust — Written in Rust, making integration with Goose straightforward
  • Python SDK — Also available via pip install boxlite

BoxLite is currently in private beta and will be open-sourced soon.

Why BoxLite?

Comparing sandbox approaches for AI agents:

Approach Isolation Level Daemon Required Setup Complexity
bubblewrap/seatbelt Process (shares kernel) No Low
Docker Container (shares kernel) Yes Medium
BoxLite VM (separate kernel) No Low
Traditional VMs Full VM Yes High

BoxLite provides stronger isolation than containers/namespaces (actual VM boundaries via hardware virtualization), but is much lighter than traditional VMs. It was specifically designed for AI agent sandboxing.

Since both Goose and BoxLite are written in Rust, integration would be straightforward — BoxLite can be added as a crate dependency without any FFI overhead or language bridging.

Example Usage

import asyncio
import boxlite

async def main():
    async with boxlite.SimpleBox(image="python:slim") as box:
        result = await box.exec("python", "-c", "print('Hello from sandbox!')")
        print(result.stdout)

asyncio.run(main())

Features Relevant to Goose

  • Volume Mounts — Mount host directories into the sandbox (read-only or read-write)
  • Full Network Access — Outbound connections, DNS resolution, port forwarding
  • Streaming I/O — Real-time stdout/stderr
  • Resource Control — Configure CPUs, memory limits per sandbox

Links

  • Website: https://boxlite-labs.github.io/website/
  • PyPI: https://pypi.org/project/boxlite/

Happy to help with integration or answer any questions!

DorianZheng avatar Dec 10 '25 15:12 DorianZheng

We've also built an MCP server that showcases BoxLite's capabilities: https://github.com/boxlite-labs/boxlite-mcp

This demonstrates how BoxLite can be used as a sandboxed execution environment for AI agents via the Model Context Protocol.

DorianZheng avatar Dec 10 '25 15:12 DorianZheng

From what I read BoxLite is a very interesting approach. Two things that I think relevant when discussing this vs. Bubblewrap / Seatbelt sandboxing approaches:

  • Network Sandboxing: Hard but possible with Bubblewrap / Seatbelt. Anthropic Sandbox Runtime has demonstrated this, by doing it natively with bubblewrap, and forcing http{,s}_proxy on macOS, while preventing native network access.
  • System-Switch: This means that the agent does not run on the native system, but inside the VM. This means linux on Mac and possibly knowledge of system setup tools like nix to get the necessary tools inside the vm. It also means that it is way harder to get help doing stuff on your system from the agent. I / we have also found that the developer experience from running stuff in VMs / Docker can be significantly worse. I am very much looking forward to see how BoxLite solves this.

dwt avatar Dec 10 '25 15:12 dwt

Thanks for the feedback @dwt!

  • Network Sandboxing: BoxLite provides full network access by default (outbound connections, DNS resolution), but network isolation can be configured. Since each sandbox is a separate VM, network policies are enforced at the hypervisor level rather than relying on namespace tricks. This is actually simpler to reason about than bubblewrap/seatbelt approaches.

  • System-Switch: You're right about BoxLite's current approach — it runs Linux guests on macOS hosts. I have considered implementing mac-on-mac support, but it requires significant work to implement and test properly. Could you elaborate a bit more on your point about developer experience being worse when running stuff in VMs/Docker? I'd like to understand the specific pain points you've encountered so we can think about how to address them.

Also, I want to clarify the positioning: the idea of BoxLite for agents is beyond just sandboxing which restricts the agent's capabilities. The idea is to give the agent full permissions while not hurting the host. Instead of limiting what the agent can do, we give it a complete environment where it can do anything safely.

DorianZheng avatar Dec 11 '25 04:12 DorianZheng