Architecture decisions, release notes, and deep dives from the Sandbox0 team.
Vercel Eve makes the sandbox backend pluggable. This guide shows how to use Sandbox0 as an Eve SandboxBackend with @sandbox0/eve, including prewarm snapshots, durable session metadata, file and command APIs, and network policy boundaries.
Custom AI agent environments do not always need a custom template and a dedicated warm pool. Sandbox0 rootfs snapshots and claim-time snapshot IDs let teams start from a builtin template, initialize the writable filesystem once, and claim fresh running sandboxes from that state.
Sandbox0 Managed Agents follows the June 2026 Claude Managed Agents primitives with scheduled deployments and vault-backed environment variables: cron-triggered sessions, run history, manual runs, and CLI credentials that stay outside the agent process.
OpenClaw and Hermes Agent are usually deployed on a laptop, Docker host, VPS, or Kubernetes cluster. This post explains the Sandbox0 agent-in-sandbox pattern: run the agent gateway inside a sandbox, keep state on persistent volumes, expose routes through Sandbox Services, and enforce network and credential boundaries outside the agent process.
Sandbox0 Docker in Sandbox lets AI agents run Redis, Postgres, Docker builds, and containerized test workflows inside an isolated sandbox without depending on the host Docker daemon.
Sandbox Functions turn a sandbox into a webhook target without running a long-lived HTTP server. This post introduces the feature through a coding-agent workflow: keep a repository Volume refreshed from GitHub webhooks, publish snapshots, then create per-task Volumes from those snapshots when agent tasks start.
MCP makes it easy to connect agents to tools, but production teams need runtime enforcement for which tools can actually execute. Sandbox0 Protocol Controls add MCP tool allowlists and denylists at the sandbox network boundary.
Claude Managed Agents self-hosted sandboxes move tool execution into infrastructure you control. This post explains how Sandbox0 fits that architecture with persistent workspaces, sandbox lifecycle management, network policy, and egress credential injection.
S3 is the right durable storage layer for cloud-native agent infrastructure, but it is the wrong interface for an AI agent workspace. This post explains why Sandbox0 built S0FS on top of object storage, what problems showed up in the first JuiceFS-based design, and how node-local volume portals improved small-file performance for agent workloads.
Managed agents are becoming the serverless layer for AI agents. The platform owns sandbox execution, durable sessions, observability, agent harnesses, and runtime operations so agent developers can focus on product behavior and pay for session running time.
Production AI agents use sandboxes in two different runtime shapes: sandbox-as-tool and agent-in-sandbox. This post explains the tradeoffs around latency, compatibility, lifecycle, isolation, and pricing, and why Sandbox0 Managed Agents supports both harnesses while charging by session running time.
AI agents need durable workspaces, but durable workspaces create a new security surface. This post explains how Sandbox0 Volumes separate storage from sandbox lifecycle, how S0FS stores manifests and segments, and how application-layer encryption protects persisted objects and node-local cache files.
Agent SDK memory is not just a language-runtime detail. This post introduces a reproducible benchmark for Sandbox0 Managed Agents and explains what the idle process footprint of Claude Agent SDK and Codex SDK means for managed agent capacity planning.
Managed agents are becoming a real infrastructure category, not just a vendor feature. This post explains what managed agents are, how Claude Managed Agents made the model visible, what backend components actually sit behind the API, and why Sandbox0 is building a managed agents backend around durable sessions, sandbox execution, and controlled credential boundaries.
Anthropic now calls it the Claude Agent SDK, but many developers still search for Claude Code SDK. This post separates three deployment modes from a second, independent decision: whether the Claude runtime lives in the same environment as your app or behind a control and execution boundary.
Not every file operation in an AI agent system should require mounting a volume into a running sandbox. Sandbox0 lets you read, write, list, stat, move, delete, upload, download, and watch volume files directly by volume ID over raw HTTP, SDK helpers, and the s0 CLI.
AI agents often request plausible-but-wrong URLs like /docs/self-hosting or /docs/deploy/single-cluster and land on a 404 page. This post explains why static redirect tables do not scale, and how to build a local semantic 404 resolver that maps hallucinated links to the most likely canonical page without creating soft 404s.
The standard advice for AI agent API key security is to use a local proxy that swaps fake tokens for real ones. Sandbox0 goes further: credentials are injected at the kernel network layer, so the agent process never holds a token — real or phantom.
AI agent sandboxes are ephemeral by default — when the container stops, the workspace is gone. Sandbox0 volumes are persistent storage units decoupled from sandbox lifetime: POSIX-native, mountable across multiple sandboxes simultaneously, and forkable with copy-on-write isolation for parallel agent workloads.