Hardened Lima VM for running AI agents — overlay isolation, network containment, secrets management, and gated sync.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for peleke from gravatar.com peleke

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Peleke Sengstacke
  • Tags ai-agents , isolation , lima , sandbox , security , vm
  • Requires: Python >=3.11
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

bilrost

Hardened Lima VM for running AI agents — overlay isolation, network containment, secrets management, and gated sync.

Install

# Via pipx (recommended)
pipx install bilrost

# Via uv
uv tool install bilrost

# Via pip
pip install bilrost

Usage

# Interactive setup
bilrost init

# Provision the VM (~5 min first run)
bilrost up

# Check status
bilrost status

# SSH into the VM
bilrost ssh

# Sync overlay changes to host (with secret scanning)
bilrost sync

# Stop / destroy
bilrost down
bilrost destroy

MCP Server

Agents can manage the sandbox programmatically via FastMCP:

{
  "mcpServers": {
    "sandbox": {
      "command": "bilrost-mcp"
    }
  }
}

9 tools: sandbox_status, sandbox_up, sandbox_down, sandbox_destroy, sandbox_exec, sandbox_validate, sandbox_ssh_info, sandbox_gateway_info, sandbox_agent_identity.

What It Does

  • OverlayFS isolation — host code mounted read-only, all writes contained in VM overlay
  • Network containment — UFW firewall with explicit allowlist (HTTPS, DNS, Tailscale, NTP only)
  • Secrets management — three injection methods, 0600 perms, never in process lists
  • Gated sync — gitleaks scanning + path allowlist before changes reach your host
  • Docker sandboxing — per-session containers with configurable network isolation
  • 12 Ansible roles — overlay, secrets, gateway, docker, firewall, sync-gate, gh-cli, buildlog, cadence, qortex, tailscale, and more

Requirements

  • macOS (Apple Silicon or Intel)
  • Homebrew
  • ~10GB disk space

Dependencies (Lima, Ansible, etc.) are installed automatically on first run.

Documentation

Full docs: peleke.github.io/openclaw-sandbox

License

MIT

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for peleke from gravatar.com peleke

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Peleke Sengstacke
  • Tags ai-agents , isolation , lima , sandbox , security , vm
  • Requires: Python >=3.11
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

1.1.0

1.0.0

This version

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

bilrost-0.1.0.tar.gz (21.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

bilrost-0.1.0-py3-none-any.whl (28.8 kB view details)

Uploaded Python 3

File details

Details for the file bilrost-0.1.0.tar.gz.

File metadata

  • Download URL: bilrost-0.1.0.tar.gz
  • Upload date:
  • Size: 21.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for bilrost-0.1.0.tar.gz
Algorithm Hash digest
SHA256 dfef4b394f93667e264eacdf6e936d855faff2e960dea2b41004958d23c22600
MD5 5323a5087466de49688060ae271c286b
BLAKE2b-256 3045dac58000eb3ad452834db6944f4625fb6aa7bac9faea7a6e1287da525899

See more details on using hashes here.

Provenance

The following attestation bundles were made for bilrost-0.1.0.tar.gz:

Publisher: publish.yml on Peleke/openclaw-sandbox

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file bilrost-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: bilrost-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 28.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for bilrost-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 31d7ca60d056a43eea8c1646b24c9a8b272dd3de813053fe00d1914a6c7f4910
MD5 dd7c6fc123388dcaa2e105f32560b875
BLAKE2b-256 768c45653382ee8604521d25e7f6df8b483b50029fcf9d2aaa375a47027f5b93

See more details on using hashes here.

Provenance

The following attestation bundles were made for bilrost-0.1.0-py3-none-any.whl:

Publisher: publish.yml on Peleke/openclaw-sandbox

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page