Hardened Lima VM for running AI agents — overlay isolation, network containment, secrets management, and gated sync.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for peleke from gravatar.com peleke

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Peleke Sengstacke
  • Tags ai-agents , isolation , lima , sandbox , security , vm
  • Requires: Python >=3.11
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

bilrost

Hardened Lima VM for running AI agents — overlay isolation, network containment, secrets management, and gated sync.

Install

# Via pipx (recommended)
pipx install bilrost

# Via uv
uv tool install bilrost

# Via pip
pip install bilrost

Usage

# Interactive setup
bilrost init

# Provision the VM (~5 min first run)
bilrost up

# Check status
bilrost status

# SSH into the VM
bilrost ssh

# Sync overlay changes to host (with secret scanning)
bilrost sync

# Stop / destroy
bilrost down
bilrost destroy

MCP Server

Agents can manage the sandbox programmatically via FastMCP:

{
  "mcpServers": {
    "sandbox": {
      "command": "bilrost-mcp"
    }
  }
}

9 tools: sandbox_status, sandbox_up, sandbox_down, sandbox_destroy, sandbox_exec, sandbox_validate, sandbox_ssh_info, sandbox_gateway_info, sandbox_agent_identity.

What It Does

  • OverlayFS isolation — host code mounted read-only, all writes contained in VM overlay
  • Network containment — UFW firewall with explicit allowlist (HTTPS, DNS, Tailscale, NTP only)
  • Secrets management — three injection methods, 0600 perms, never in process lists
  • Gated sync — gitleaks scanning + path allowlist before changes reach your host
  • Docker sandboxing — per-session containers with configurable network isolation
  • 12 Ansible roles — overlay, secrets, gateway, docker, firewall, sync-gate, gh-cli, buildlog, cadence, qortex, tailscale, and more

Requirements

  • macOS (Apple Silicon or Intel)
  • Homebrew
  • ~10GB disk space

Dependencies (Lima, Ansible, etc.) are installed automatically on first run.

Documentation

Full docs: peleke.github.io/openclaw-sandbox

License

MIT

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for peleke from gravatar.com peleke

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Peleke Sengstacke
  • Tags ai-agents , isolation , lima , sandbox , security , vm
  • Requires: Python >=3.11
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

This version

1.1.0

1.0.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

bilrost-1.1.0.tar.gz (21.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

bilrost-1.1.0-py3-none-any.whl (29.1 kB view details)

Uploaded Python 3

File details

Details for the file bilrost-1.1.0.tar.gz.

File metadata

  • Download URL: bilrost-1.1.0.tar.gz
  • Upload date:
  • Size: 21.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for bilrost-1.1.0.tar.gz
Algorithm Hash digest
SHA256 a7e970a10c32375696b757ddc558ca67a9aca5314a33788c2b9104fbe78d3c84
MD5 dc04aec9fc3ff0a5f2d4fb726b401ac3
BLAKE2b-256 4510af098f1dcdf7dbb68c2486a82ec86dfda5e22389777165883f6d4d224a1c

See more details on using hashes here.

Provenance

The following attestation bundles were made for bilrost-1.1.0.tar.gz:

Publisher: publish.yml on Peleke/openclaw-sandbox

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file bilrost-1.1.0-py3-none-any.whl.

File metadata

  • Download URL: bilrost-1.1.0-py3-none-any.whl
  • Upload date:
  • Size: 29.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for bilrost-1.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 146dc6543f056d81d72924a03adfa8e4bfe5b3eef5ad49e7b67c6b19b74b56fa
MD5 31a8110dcd1696c213bce2a7be417558
BLAKE2b-256 e350e05e76782c0400cfc81f95f36e3d3212fe56f645b4b4c83af7750e2a991f

See more details on using hashes here.

Provenance

The following attestation bundles were made for bilrost-1.1.0-py3-none-any.whl:

Publisher: publish.yml on Peleke/openclaw-sandbox

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page