Bare-metal microkernel for AI agent sandboxing.
Hardware-level isolation with namespaces, cgroups v2, seccomp-BPF,
eBPF/XDP firewalls, and capability-based filesystems.
Features · Architecture · Quick Start · Benchmarks · Contributing
FORGE — Sandbox management dashboard with resource utilization, syscall monitoring, and agent isolation controls
Secure, high-performance execution environments for autonomous AI agents.
FORGE provides hardware-level isolation for AI agent workloads using Linux kernel primitives -- namespaces, cgroups v2, seccomp-BPF, eBPF/XDP firewalls, and capability-based filesystems. Every agent runs inside a minimal sandbox with cryptographically-enforced resource boundaries and zero implicit trust.
+------------------------------------------------------------------+
| FORGE Control Plane |
| +------------------+ +------------------+ +----------------+ |
| | Resource Governor | | Network Firewall | | Dashboard | |
| | - CPU/Mem/IO | | - Per-agent ACLs | | - React SPA | |
| | - Budget tracking| | - HTTP inspection| | - Live metrics | |
| | - Rate limiting | | - XDP filtering | | - Capability | |
| +--------+---------+ +--------+---------+ +----+-----------+ |
| | | | |
| +--------v----------------------v------------------v---------+ |
| | Sandbox Runtime | |
| | +-------------+ +-------------+ +-------------------+ | |
| | | Namespaces | | cgroups v2 | | seccomp-BPF | | |
| | | mount,pid, | | cpu,memory, | | Syscall allowlist | | |
| | | net,user, | | io,pids | | AI-workload tuned | | |
| | | uts,ipc | | | | | | |
| | +-------------+ +-------------+ +-------------------+ | |
| +------------------------------------------------------------+ |
| | |
| +---------------------------v--------------------------------+ |
| | Capability Filesystem | |
| | +----------------+ +---------------+ +--------------+ | |
| | | FUSE Daemon | | HMAC-SHA256 | | Policy | | |
| | | VFS layer | | Capability | | Engine | | |
| | | Per-agent mount| | Tokens | | Path+Op+TTL | | |
| | +----------------+ +---------------+ +--------------+ | |
| +------------------------------------------------------------+ |
| | |
| +---------------------------v--------------------------------+ |
| | Code Executor | |
| | +----------------+ +---------------+ +--------------+ | |
| | | MicroVM | | Language | | initramfs | | |
| | | Launcher | | Runtimes | | Builder | | |
| | | <150ms boot | | Python/Node | | Minimal root | | |
| | +----------------+ +---------------+ +--------------+ | |
| +------------------------------------------------------------+ |
+------------------------------------------------------------------+
| | | |
eBPF/XDP LSM-BPF seccomp-BPF cgroups v2
(network) (MAC hooks) (syscall) (resources)
| | | |
+------------------------------------------------------------------+
| Linux Kernel >= 5.15 |
+------------------------------------------------------------------+
| Component | Language | Purpose |
|---|---|---|
sandbox/ |
Rust | OCI-compatible container runtime with namespace/cgroup/seccomp |
capability-fs/ |
Rust | FUSE-based capability filesystem with HMAC-SHA256 tokens |
network-firewall/ |
Rust | Per-agent API-level network firewall with HTTP inspection |
code-executor/ |
Rust | MicroVM launcher with <150ms boot, Python/Node execution |
resource-governor/ |
Rust | CPU/memory/IO rate limiting and compute budget tracking |
ebpf/ |
C | seccomp-BPF, XDP firewall, LSM enforcer programs |
dashboard/ |
React/TS | Real-time monitoring dashboard |
- Linux kernel >= 5.15 with BPF, cgroups v2, user namespaces
- Rust >= 1.75 (2024 edition)
- Node.js >= 18 (dashboard only)
- clang/llvm >= 14 (eBPF compilation)
# Build all Rust components
make build
# Build eBPF programs
make ebpf
# Build dashboard
make dashboard
# Run tests
make test# Create a sandbox with default AI-agent seccomp profile
forge-sandbox run \
--memory 512M \
--cpu-shares 1024 \
--network-policy allow:api.openai.com:443 \
--capability-fs /tmp/agent-workspace \
-- python3 agent.py
# Launch with full configuration
forge-sandbox run --config agent-sandbox.toml[sandbox]
rootfs = "/var/lib/forge/rootfs/minimal"
hostname = "forge-agent-001"
[sandbox.namespaces]
mount = true
pid = true
net = true
user = true
uts = true
ipc = true
[sandbox.cgroup]
memory_limit = "512M"
cpu_quota = 100000
cpu_period = 100000
pids_max = 64
io_weight = 100
[sandbox.seccomp]
profile = "ai-agent"
log_violations = true
[capability_fs]
mount_point = "/workspace"
signing_key_path = "/etc/forge/cap-key"
default_ttl = "1h"
[network]
default_policy = "deny"
allowed_endpoints = [
{ host = "api.openai.com", port = 443, methods = ["POST"] },
{ host = "huggingface.co", port = 443, methods = ["GET"] },
]
[resources]
compute_budget = 1000
budget_period = "1h"
burst_allowance = 1.5| Metric | FORGE | gVisor | Firecracker | Docker |
|---|---|---|---|---|
| Cold start | 95ms | 180ms | 125ms | 350ms |
| Syscall overhead | 2.1us | 12.4us | 3.8us | 0.8us |
| Memory overhead | 8MB | 45MB | 25MB | 12MB |
| Sandbox density (16GB) | 1,800 | 320 | 580 | 1,200 |
| Network filtering | Line-rate (XDP) | Userspace | N/A | iptables |
| Filesystem isolation | Capability tokens | goferfs | virtio-fs | overlayfs |
Benchmarks measured on AMD EPYC 7763 (64-core), 256GB RAM, Linux 6.1
- Defense in depth: Every layer enforces isolation independently
- Zero implicit trust: Agents start with no capabilities; all access is explicitly granted via signed tokens
- Syscall minimization: AI workloads use ~45 syscalls; FORGE blocks the remaining ~300+
- Network microsegmentation: Per-agent firewall rules at XDP layer (kernel bypass)
- Capability-based filesystem: HMAC-SHA256 signed tokens with path patterns, operation sets, and TTLs
- Resource hard limits: cgroups v2 with OOM-kill and CPU bandwidth throttling
- Audit trail: All security-relevant events logged via tracing
We welcome contributions from the community. Please read our Contributing Guide before submitting a pull request.
For security-related issues, please see our Security Policy.
All participants are expected to follow our Code of Conduct.
Apache License 2.0 -- see LICENSE for full details.
Copyright 2025 FORGE Contributors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0