https://github.com/zerobootdev/zeroboot
Sub-millisecond VM sandboxes for AI agents via copy-on-write forking
https://github.com/zerobootdev/zeroboot
ai-agents code-execution copy-on-write firecracker kvm rust sandbox virtual-machine vm
Last synced: 28 days ago
JSON representation
Sub-millisecond VM sandboxes for AI agents via copy-on-write forking
- Host: GitHub
- URL: https://github.com/zerobootdev/zeroboot
- Owner: zerobootdev
- License: apache-2.0
- Created: 2026-03-15T21:49:32.000Z (about 1 month ago)
- Default Branch: main
- Last Pushed: 2026-03-21T22:53:51.000Z (about 1 month ago)
- Last Synced: 2026-03-22T11:30:17.241Z (about 1 month ago)
- Topics: ai-agents, code-execution, copy-on-write, firecracker, kvm, rust, sandbox, virtual-machine, vm
- Language: Rust
- Homepage: https://tally.so/r/aQGkpb
- Size: 952 KB
- Stars: 1,714
- Watchers: 11
- Forks: 77
- Open Issues: 6
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-agent-runtime-security - Zeroboot - fork | Sub-millisecond VM sandboxes (0.8ms spawn) via Firecracker snapshot copy-on-write forking — each fork is a real KVM VM with hardware-enforced memory isolation at ~265KB per sandbox. No networking inside forks (serial I/O only). | (Sandboxing & Isolation)
README
Sub-millisecond VM sandboxes for AI agents via copy-on-write forking
---
## Try it
```bash
curl -X POST https://api.zeroboot.dev/v1/exec \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer zb_demo_hn2026' \
-d '{"code":"import numpy as np; print(np.random.rand(3))"}'
```
## Benchmarks
| Metric | Zeroboot | E2B | microsandbox | Daytona |
|---|---|---|---|---|
| Spawn latency p50 | **0.79ms** | ~150ms | ~200ms | ~27ms |
| Spawn latency p99 | 1.74ms | ~300ms | ~400ms | ~90ms |
| Memory per sandbox | ~265KB | ~128MB | ~50MB | ~50MB |
| Fork + exec (Python) | **~8ms** | - | - | - |
| 1000 concurrent forks | 815ms | - | - | - |
Each sandbox is a real KVM virtual machine with hardware-enforced memory isolation.
## How it works
```
Firecracker snapshot ──► mmap(MAP_PRIVATE) ──► KVM VM + restored CPU state
(copy-on-write) (~0.8ms)
```
1. **Template** (one-time): Firecracker boots a VM, pre-loads your runtime, and snapshots memory + CPU state
2. **Fork** (~0.8ms): Creates a new KVM VM, maps snapshot memory as CoW, restores all CPU state
3. **Isolation**: Each fork is a separate KVM VM with hardware-enforced memory isolation
## SDKs
**Python** — [sdk/python](sdk/python/)
```python
from zeroboot import Sandbox
sb = Sandbox("zb_live_your_key")
result = sb.run("print(1 + 1)")
```
**TypeScript** — [sdk/node](sdk/node/)
```typescript
import { Sandbox } from "@zeroboot/sdk";
const result = await new Sandbox("zb_live_your_key").run("console.log(1+1)");
```
## Docs
- [API Reference](docs/API.md)
- [Deployment Guide](docs/DEPLOYMENT.md)
- [Architecture](docs/ARCHITECTURE.md)
## Status
Working prototype. The fork primitive, benchmarks, and API are real, but not production-hardened yet. [Open an issue](https://github.com/adammiribyan/zeroboot/issues) if you're interested.
## Self-host or managed
Zeroboot is open source. Self-host it on any Linux box with KVM, or use the managed API:
curl -X POST https://api.zeroboot.dev/v1/exec \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer zb_demo_hn2026' \
-d '{"code":"import numpy as np; print(np.random.rand(3))"}'
Building the managed service for teams that don't want to run their own infra. Sign up for early access: https://tally.so/r/aQGkpb
## Known limitations
- Forks share CSPRNG state from the snapshot. Kernel entropy is reseeded via RNDADDENTROPY but userspace PRNGs (numpy, OpenSSL) need explicit reseeding per fork. See [Firecracker's guidance](https://github.com/firecracker-microvm/firecracker/blob/main/docs/snapshotting/random-for-clones.md).
- Single vCPU per fork. Multi-vCPU is architecturally possible but not implemented.
- No networking inside forks. Sandboxes communicate via serial I/O only.
- Template updates require a full re-snapshot (~15s). No incremental patching.
## License
[Apache-2.0](LICENSE)