A fake little computer for your agent: versioned filesystem, shell, and sandboxed Python.
Project description
nontainer 📦
A fake little computer for your agent: versioned filesystem, shell, and
sandboxed Python -- as tools for any Python-based agent harness. No Docker,
no cloud sandbox, no infra. pip install nontainer.
Status: pre-alpha. Usable and tested end to end; the API will still move before 1.0.
The pitch
You hand your agent a terminal and a run_python tool. Unlike a
stateless sandbox call, these are stateful and bound to a session: the
shell's cd sticks, files one call writes the next call reads, and a
cache dict persists for the whole conversation. It's a little computer the
agent keeps using -- not a fresh box each call.
And because that computer is a versioned workspace, you get the
operations durable state makes possible: checkpoint every call, fork a
session in O(1), roll back to any commit, audit the history. All in-process,
pip-installable, running wherever Python runs.
| Terminal tool | ~33 shell builtins (grep, sed, jq, tar, ...) over the virtual filesystem via termish. |
| Python tool | Policy-gated sandboxed execution via sandtrap; safe stdlib on by default, open()/os/pathlib routed to the workspace via monkeyfs. |
| In-process | Agent code can call your whitelisted host objects -- the live model, the db pool -- under policy. No cloud sandbox can. |
| Pluggable substrate | kvgit (versioned), AgentFS, or a plain directory -- same tools. |
| Thin adapters | agno toolkit and an MCP server over one core. |
What the sandbox is (and isn't). In-process, the Python sandbox (sandtrap) is a walled garden for cooperative LLM-generated code — it gates what agent code can reach (modules, host objects, the filesystem) to an allowlist you control (safe stdlib on by default, everything else opt-in), not a hardened boundary against code trying to escape. That's the right posture for your own agent's code. When you need a real boundary (untrusted code, or serving to anonymous clients), escalate with
isolation="process"/"kernel". Full framing in the design notes.
The API in one glance
from nontainer import workspace
ws = workspace("user-42") # versioned; a kvgit branch per session
ws.terminal("mkdir -p data && echo 'a,b\n1,2' > data/in.csv")
r = ws.run_python("""
import csv
rows = list(csv.reader(open('data/in.csv'))) # sees the shell's file
cache['n_rows'] = len(rows) # persists across the session
print(rows)
""")
r.checkpoint # commit id this call produced; ws.restore(it) undoes it
fork = ws.fork("what-if") # O(1) branch; the original is untouched
ws.rollback(steps=1) # or time-travel by steps
Adapters are one import away:
from nontainer.adapters.agno import WorkspaceTools # agno Toolkit
# or: python -m nontainer.adapters.mcp --session s1 # MCP server (stdio)
Substrates
WorkspaceProvider is the pluggable seam -- one filesystem-and-KV protocol,
capability flags instead of pretended equivalence:
| Provider | versioned | cheap_fork |
sql_audit |
|---|---|---|---|
| kvgit (default) | ✅ | ✅ O(1) | ❌ |
| plain dir | ❌ | ❌ | ❌ |
| AgentFS (spike) | ❌ | ❌ | ✅ |
kvgit for fork/undo/audit, dir when agent code needs real files (C
extensions, subprocesses), AgentFS for the one-file-artifact + SQL story --
or bring your own provider. Full guidance in the API reference.
App handlers (the [apps] extra)
Agents author full-stack apps: a Preact/HTM frontend plus request
handlers -- serverless semantics, not resident servers. A file's path is
its route (/app/api/scores.py → /api/scores), its exported get/post
are the verbs. The agent builds and verifies entirely in-loop: a curl
builtin hits the dispatcher from the terminal, and test_app runs the app
headlessly through Playwright with the workspace as the origin -- no server,
no Node. To share it, publish a frozen snapshot: build_router serves
the app read-only and concurrently at /apps/{token}/...; mutable app state
lives in an external store injected via host_objects, not the (frozen)
workspace.
Full design -- handler contract, execution model, test_app DSL, serving/threat model: docs/apps.md.
Related work
- Cloud sandboxes (E2B, Daytona, Modal, Fly Sprites): real isolation, real infra. They have persistence; none have history, forking, or in-process host-object access.
- mcp-run-python (Pydantic): the incumbent local run-python (Pyodide-in-Deno). Stateless per call, no workspace, needs Deno.
- AgentFS (Turso): SQLite-backed agent FS + KV + SQL-queryable audit, snapshots by file copy. It comes at the problem from storage where nontainer comes from execution -- and nontainer runs on it as one of its backends.
- Val Town: agents-deploying-endpoints as a polished cloud product (TS). The handler design here is the self-hosted, session-scoped, Python, versioned take on the same instinct.
Part of the agex stack
nontainer composes kvgit, monkeyfs, termish, and sandtrap -- each independently useful, each zero/minimal-dep. agex is the full agent framework over the same substrate; nontainer is the environment layer alone, offered to someone else's loop.
Documentation
- Quick Start -- first workspace, sandbox config, backends, adapters, the apps loop; runnable examples
- API Reference -- every class, method, and flag
- Design notes -- why it's shaped this way (execution model, commit granularity, tool exposure) and what's still ahead
- Apps design -- handler contract, execution model, test_app, serving/threat model
- Examples -- live agno agents: a data analyst
(
analyst.py) and a build-and-verify web app (webapp.py)
Install
pip install nontainer # workspace + terminal + run_python
pip install nontainer[agno] # + agno Toolkit adapter
pip install nontainer[mcp] # + MCP server (python -m nontainer.adapters.mcp)
pip install nontainer[apps] # + handlers/curl, Playwright test_app, serving router
pip install nontainer[agentfs] # + AgentFS substrate (agentfs-sdk)
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file nontainer-0.1.1.tar.gz.
File metadata
- Download URL: nontainer-0.1.1.tar.gz
- Upload date:
- Size: 328.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a47f3a81e93001efb278763d4936573ca1d16d4c3f65a83c761b6d472046a552
|
|
| MD5 |
b209a69ddb1f6d66b537ff7754347e26
|
|
| BLAKE2b-256 |
be03f3c949603030e8d694cde19272c527a31c2f347dbfbb75e25d8bf5034bd0
|
File details
Details for the file nontainer-0.1.1-py3-none-any.whl.
File metadata
- Download URL: nontainer-0.1.1-py3-none-any.whl
- Upload date:
- Size: 102.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8b3723aae4bb17e8e7d146e81b9ae7102bcbdcfe5601404ba1ce31c9794382c0
|
|
| MD5 |
bb1c3dbbdd97d80e84555b9833f2147e
|
|
| BLAKE2b-256 |
0f0dd47df73617d4a324806e1b2d670afddbe9cfd109b17804816dc12d009e8d
|