Sandboxes
Sandboxes are used to run agent tasks in isolated environments.
Sesame uses sandboxes to isolate agent task execution. Each sandbox provider offers different tradeoffs between security, performance, and ease of setup.
Security Overview
In addition to provider-level isolation, Sesame supports OS-level sandbox security via @anthropic-ai/sandbox-runtime. This adds filesystem and network restrictions regardless of which provider you use.
| Security Layer | Protection | Availability |
|---|---|---|
| Provider Isolation | Process/container separation | All providers |
| Sandbox Security | Filesystem + network restrictions | macOS, Linux |
Sandbox security is enabled by default on supported platforms. Configure it at /admin/sandbox or via SANDBOX_SECURITY_ENABLED.
What Sandbox Security Provides
- Filesystem restrictions: Agents can only write to the project directory and
/tmp. Sensitive paths like~/.sshand~/.awsare blocked. - Network restrictions: Only agent-specific API domains are allowed (e.g.,
api.anthropic.comfor Claude). Admins can configure additional allowed/denied domains. - Violation monitoring: Blocked access attempts are logged and streamed to the UI in real-time.
See Settings > Sandbox Security for configuration details.
Runtime & Dependency Management
Sesame uses mise to automatically detect and install the correct runtime versions and dependencies for each project.
| Feature | What It Does |
|---|---|
| Runtime versions | Reads .nvmrc, .node-version, .python-version, .tool-versions, mise.toml |
| Dependencies | Auto-runs npm install, pip install, bundle install, etc. based on lockfiles |
| Isolation | Each sandbox gets its own mise installation |
This means agents work with the exact versions specified in the project, without manual setup.
See How It Works > Mise Integration for technical details on how this works.
Sandbox Providers
Comparison
| Provider | Isolation | Security | Setup | Performance | Use Case |
|---|---|---|---|---|---|
| Filesystem | Process | + Sandbox Security | None | Fast | Development, trusted environments |
| Docker | Container | + Sandbox Security | Docker required | Fast (with sandbox image) | Production, multi-tenant |
| Vercel | Cloud microVM | Full | API credentials | Fast | Vercel hosting, cloud-native |
| Daytona | Cloud sandbox | Full | API key | Fast | Cloud development, flexible resources |
The Vercel provider requires ports to be declared at sandbox creation time. See the Vercel Sandbox docs for configuration details.
The Docker provider uses the official sesame-sandbox image by default, which comes pre-loaded with mise, common runtimes (Node.js, Python, Go, Rust, Ruby, Bun), and all agent CLIs for fast task startup.