Hardened Lima VM for running AI agents — overlay isolation, network containment, secrets management, and gated sync.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for peleke from gravatar.com peleke

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Peleke Sengstacke
  • Tags ai-agents , isolation , lima , sandbox , security , vm
  • Requires: Python >=3.11
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

bilrost

Hardened Lima VM for running AI agents — overlay isolation, network containment, secrets management, and gated sync.

Install

# Via pipx (recommended)
pipx install bilrost

# Via uv
uv tool install bilrost

# Via pip
pip install bilrost

Usage

# Interactive setup
bilrost init

# Provision the VM (~5 min first run)
bilrost up

# Check status
bilrost status

# SSH into the VM
bilrost ssh

# Sync overlay changes to host (with secret scanning)
bilrost sync

# Stop / destroy
bilrost down
bilrost destroy

MCP Server

Agents can manage the sandbox programmatically via FastMCP:

{
  "mcpServers": {
    "sandbox": {
      "command": "bilrost-mcp"
    }
  }
}

9 tools: sandbox_status, sandbox_up, sandbox_down, sandbox_destroy, sandbox_exec, sandbox_validate, sandbox_ssh_info, sandbox_gateway_info, sandbox_agent_identity.

What It Does

  • OverlayFS isolation — host code mounted read-only, all writes contained in VM overlay
  • Network containment — UFW firewall with explicit allowlist (HTTPS, DNS, Tailscale, NTP only)
  • Secrets management — three injection methods, 0600 perms, never in process lists
  • Gated sync — gitleaks scanning + path allowlist before changes reach your host
  • Docker sandboxing — per-session containers with configurable network isolation
  • 12 Ansible roles — overlay, secrets, gateway, docker, firewall, sync-gate, gh-cli, buildlog, cadence, qortex, tailscale, and more

Requirements

  • macOS (Apple Silicon or Intel)
  • Homebrew
  • ~10GB disk space

Dependencies (Lima, Ansible, etc.) are installed automatically on first run.

Documentation

Full docs: peleke.github.io/openclaw-sandbox

License

MIT

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for peleke from gravatar.com peleke

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Peleke Sengstacke
  • Tags ai-agents , isolation , lima , sandbox , security , vm
  • Requires: Python >=3.11
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

1.1.0

This version

1.0.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

bilrost-1.0.0.tar.gz (21.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

bilrost-1.0.0-py3-none-any.whl (28.8 kB view details)

Uploaded Python 3

File details

Details for the file bilrost-1.0.0.tar.gz.

File metadata

  • Download URL: bilrost-1.0.0.tar.gz
  • Upload date:
  • Size: 21.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for bilrost-1.0.0.tar.gz
Algorithm Hash digest
SHA256 88a7b45d5c97c8ec12b89992233b5d0b0d7369d384c764f94bb70bfa8b0e1c5f
MD5 ee462a6dfc3715d18099fdd5fbb10bc4
BLAKE2b-256 62e8c38d656890b3803b48c9a0eb167680b2f37cbe09e5998505b8d1899302d7

See more details on using hashes here.

Provenance

The following attestation bundles were made for bilrost-1.0.0.tar.gz:

Publisher: publish.yml on Peleke/openclaw-sandbox

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file bilrost-1.0.0-py3-none-any.whl.

File metadata

  • Download URL: bilrost-1.0.0-py3-none-any.whl
  • Upload date:
  • Size: 28.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for bilrost-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 df3dada5a09fc1e9eda60b29accd6bfe20986e33b71f7b0dd729f2cb02eac911
MD5 5aa8aa30f51e1fc4e77938f4196ae5e2
BLAKE2b-256 85002a62c17763e1399a726907b246fddf4514f9abd3c306a8b8baf00d827b27

See more details on using hashes here.

Provenance

The following attestation bundles were made for bilrost-1.0.0-py3-none-any.whl:

Publisher: publish.yml on Peleke/openclaw-sandbox

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page