SesameSesame

Sandboxes

Sandboxes are used to run agent tasks in isolated environments.

Sesame uses sandboxes to isolate agent session execution. Each sandbox provider offers different tradeoffs between security, performance, and ease of setup.

Security Overview

In addition to provider-level isolation, Sesame supports OS-level sandbox security via @anthropic-ai/sandbox-runtime. This adds filesystem and network restrictions regardless of which provider you use.

Security LayerProtectionAvailability
Provider IsolationProcess/container separationAll providers
Sandbox SecurityFilesystem + network restrictionsmacOS, Linux

Sandbox security is enabled by default on supported platforms. Configure it at /admin/sandbox or via SANDBOX_SECURITY_ENABLED.

What Sandbox Security Provides

  • Filesystem restrictions: Agents can only write to the project directory and /tmp. Sensitive paths like ~/.ssh and ~/.aws are blocked.
  • Network restrictions: Only agent-specific API domains are allowed (e.g., api.anthropic.com for Claude). Admins can configure additional allowed/denied domains.
  • Violation monitoring: Blocked access attempts are logged and streamed to the UI in real-time.

See Settings > Sandbox Security for configuration details.

Runtime & Dependency Management

Sesame uses mise to automatically detect and install the correct runtime versions and dependencies for each project.

FeatureWhat It Does
Runtime versionsReads .nvmrc, .node-version, .python-version, .tool-versions, mise.toml
DependenciesAuto-runs npm install, pip install, bundle install, etc. based on lockfiles
IsolationEach sandbox gets its own mise installation

This means agents work with the exact versions specified in the project, without manual setup.

See How It Works > Mise Integration for technical details on how this works.

Sandbox Providers

Filesystem

Docker

Vercel

Daytona

E2B

Comparison

Overview

ProviderIsolationSetupBoot TimeBest For
FilesystemProcessNoneInstantDevelopment, trusted environments
DockerContainerDocker installed~2-5sProduction, untrusted code
VercelCloud microVMAPI credentialsSecondsVercel hosting, cloud-native
DaytonaCloud sandboxAPI keySecondsCloud development, flexible resources
E2BCloud VMAPI key~150msFast cloud sandboxes, simple setup

Features

FeatureFilesystemDockerVercelDaytonaE2B
Output streamingYesYesYesYesYes
stdin supportYesYesNoNoNo
Port previewslocalhostDynamic (socat proxy)Declared upfrontDynamicDynamic
PersistenceFull (host filesystem)Optional (volume mounts)None (ephemeral)Until cleanup/auto-stopUntil cleanup/timeout
Native file operationsShell commandsShell commands (docker exec)SDK (@vercel/sandbox)SDK (@daytonaio/sdk)SDK (e2b)
Custom images/templatesN/ACustom Docker imagesRuntime selectionLanguage selectionCustom E2B templates
Resource configurationHost limitsContainer limitsvCPUs, timeoutCPU, memory, diskTemplate-based

Security

FeatureFilesystemDockerVercelDaytonaE2B
OS-level sandboxingYes (required)AvailableN/A (cloud isolation)N/A (cloud isolation)N/A (cloud isolation)
Filesystem restrictionsVia sandbox securityContainer + sandbox securityCloud VM isolationCloud isolationCloud VM isolation
Network restrictionsVia sandbox securityContainer + sandbox securityCloud VM isolationCloud isolationCloud VM isolation
Violation monitoringYesYesNoNoNo

OS-level sandboxing via @anthropic-ai/sandbox-runtime restricts filesystem and network access on the host. Cloud providers (Vercel, Daytona, E2B) don't need it because their VMs already provide full isolation.

The Docker provider uses the official sesame-sandbox image by default, which comes pre-loaded with mise, common runtimes (Node.js, Python, Go, Rust, Ruby, Bun), and all agent CLIs for fast session startup.

The Vercel provider requires ports to be declared at sandbox creation time. All other providers support dynamic port exposure.

Amp

Sourcegraph's multi-model AI coding agent

Filesystem

Run agent tasks in local temp directories

On this page

Security OverviewWhat Sandbox Security ProvidesRuntime & Dependency ManagementSandbox ProvidersComparisonOverviewFeaturesSecurity