Sandboxes for AI agents.

A disposable Linux container in 0.6 seconds. Your agent gets root inside; we lock it down at the wall.

Open the sandbox app Read the SDK docs
$ npm install @tangle-network/sandbox
Sandbox app at sandbox.tangle.tools. file tree, terminal, live preview, sidecar policy
0.6s p50 cold-start | any Docker image · SSH access | mTLS sidecar · VM-grade boundary | snapshot · restore · bring your S3
WHAT'S IN THE BOX

Coding agents. Real isolation. Sessions that don't drop.

Three things, one box. The agents teams already use, the isolation tier you actually need, and session state that survives a closed laptop.

CODING AGENTS · ONE SDK

The agents teams already use, behind one SDK.

Each box ships with the official harnesses installed and authenticated. SSH in and run them directly, or call them through one TypeScript SDK that abstracts the protocol differences — stream-json vs JSONL events vs OAuth flows — so a new model release isn't a new integration.

Stream tokens out, resume sessions, fork checkpoints. Same shape across every harness.

Need one we don't ship yet? Tell us
Claude Code
Anthropic · stream-json · session resume
Codex
OpenAI · JSONL events · thread sessions
OpenCode
anomalyco · multi-provider · BYOK
Kimi
Moonshot AI · OAuth · stream-json
Amp
Sourcegraph · tool-rich · enterprise
Factory
Factory.ai · Droid agent · non-interactive
Forge
Forge Code · BYOK · per-provider
Claudish
proxy mode · drop-in for any brain
REAL ISOLATION · NOT MARKETING

Container today. microVM or enclave on-prem.

On the shared cloud, every job runs in its own per-tenant Docker container as a non-root user. Secrets are injected after spawn — never in calldata — so an attacker who reads the request doesn't read the credentials. For most coding agents, that's the right tier: the blast radius of a misbehaving agent is one container, and the container gets thrown away.

When you need stronger isolation, enterprise on-prem swaps the runtime driver for Firecracker microVMs (a hardware-virtualized boundary) or runs the workload inside a hardware TEE. In TEE mode, even your own operator can't read what's running — the box is sealed to the enclave's attestation key.

SHARED CLOUD · TODAY
Per-tenant container
non-root user · uid 1000
per-job filesystem + network
secrets injected post-spawn
ENTERPRISE · ON-PREM
Firecracker microVM
firecracker
hardware-virtualized boundary
host kernel can't bypass
same SDK call, different driver
ENTERPRISE · ATTESTED
Hardware enclave (TEE)
phala
operator can't read inside
attestation-keyed secrets
compliance-grade boundary
SESSION-NATIVE

Sessions that survive disconnects.

An agent session has a lot of live state: open file handles, paused-mid-tool-call promises, the dependencies it just installed, the hour of conversation context. Most sandbox APIs treat process exit as session over — close the tab and you start from zero.

We CRIU-checkpoint the whole box (filesystem, memory, PIDs) to your S3 bucket. Disconnect a session and reconnect from another machine, fork the same checkpoint into 100 parallel runs against an identical starting state, or restore a week-old run in a different region. The agent picks up mid-thought.

t=0
MACHINE A
Working...
claude-code · 47 turns · 1.2 GB
disconnect → snapshot to S3
t=3m
SNAPSHOT
Sealed to S3
CRIU · fs · memory · PIDs
reconnect ← any region
t=4m
MACHINE B · OR FORK ×100
Resumed mid-thought
turn 48 · same context · 1.1s restore
Learn more

Frequently Asked Questions

What is the Sandbox SDK?
A TypeScript SDK and CLI for spinning up isolated cloud containers. Each sandbox is a full Linux environment with root, filesystem, networking, and optional GPU, provisioned in under a second.
Which agent backends work?
OpenCode (default, multi-provider), Claude Code, OpenAI Codex, Sourcegraph AMP, and Factory Droids. Switch backends per request, or bring your own API key.
What images and runtimes are supported?
Any Docker image. Pre-built images for Node, Python, Rust, Go, Ethereum, Solana, and CUDA-enabled GPU workloads. Bring your own Dockerfile if you need a custom base.
How do snapshot and restore work?
Checkpoint the full sandbox (filesystem, packages, state), then restore instantly into a fresh sandbox. Bring your own S3-compatible bucket (S3, GCS, R2) for persistence.
SHIP TODAY

Open the sandbox app.

Sign up at sandbox.tangle.tools. Spawn a box in your browser. Exec, snapshot, ship. The SDK does the same thing programmatically.

Sign up at sandbox.tangle.tools npm install @tangle-network/sandbox
ENTERPRISE

Deploy on prem.

Run Tangle Sandbox inside your own VPC or bare-metal cluster. We run a paid pilot. Your security team reviews the sidecar source, your compliance boundary stays intact, your operators run the control plane. Same SDK, same SLAs.

Reach out Book intake call