Skip to content

[Project Proposal] OpenSandbox #26

Open
Open
[Project Proposal] OpenSandbox#26
Assignees
maniksurtanichristinaharter
Labels
Under ReviewProposal is being actively reviewed by AAIF staff or prepared for a TC meeting.
@hittyt

Description

@hittyt
hittyt
opened on May 5, 2026

Project Name

OpenSandbox

Project Description

OpenSandbox is an open-source, general-purpose sandbox platform for AI applications. It provides multi-language SDKs, unified sandbox lifecycle and execution APIs, a CLI, an MCP server, and Docker/Kubernetes runtimes for safely running AI-generated code, coding agents, GUI/browser agents, agent evaluation workloads, and RL training workloads.

The project was initiated and open-sourced by Alibaba Group. The public repository was created in December 2025 and has grown into a monorepo covering API specifications, lifecycle control plane, in-sandbox execution daemon, network ingress/egress controls, Kubernetes controller, SDKs, CLI, examples, documentation, and release automation.

Key capabilities include:

  • Unified sandbox lifecycle APIs for creating, listing, inspecting, renewing, pausing, resuming, snapshotting, and deleting sandboxes.
  • In-sandbox execution APIs for shell commands, code execution, filesystem operations, streaming output, and metrics.
  • Multi-language SDKs for Python, Java/Kotlin, JavaScript/TypeScript, C#/.NET, and Go.
  • OpenSandbox MCP server for exposing sandbox creation, command execution, and text file operations to MCP-capable clients.
  • Docker and Kubernetes runtimes for local development and scalable deployment.
  • Network ingress and egress controls, including per-sandbox egress policy.
  • Stronger isolation options through secure container runtimes such as gVisor, Kata Containers, and Firecracker microVM.

Alignment with AAIF Mission

OpenSandbox aligns with AAIF’s mission to advance open, interoperable, and safely governed agentic AI infrastructure. AI agents increasingly need to run commands, edit files, browse the web, execute generated code, and interact with external tools. OpenSandbox provides the isolated execution substrate for those workflows, with public APIs, SDKs, runtime controls, and documentation that are vendor-neutral and framework-neutral.

The project complements AAIF’s focus on open agent standards by providing a practical runtime boundary for agent actions. It helps make agentic systems safer and more auditable without requiring every agent framework to build its own sandbox, file, command, networking, and isolation layer.

Relation to Existing AAIF Projects

  • MCP: OpenSandbox provides an MCP server (opensandbox-mcp) that exposes sandbox lifecycle, command execution, and text file operations as MCP tools. This lets MCP-capable clients such as Claude Code and Cursor execute work inside isolated OpenSandbox environments.
  • goose: OpenSandbox is complementary to goose and similar agent runtimes. Goose-style workflows can use OpenSandbox through SDKs, CLI, or MCP to run code and tools in isolated, policy-controlled environments.
  • AGENTS.md: AGENTS.md helps agents understand repository-level instructions. OpenSandbox provides a runtime boundary where those agents can execute repository work with controlled filesystem, command, network, and lifecycle behavior.

Example Use Cases and Evidence of Adoption

Use cases:

  • Run coding agents such as Claude Code, OpenAI Codex CLI, Gemini CLI, Qwen Code, and Kimi CLI inside isolated containers.
  • Provide a code interpreter backend for AI-generated Python/JavaScript/shell execution.
  • Run browser automation and GUI/desktop agents with Chrome, Playwright, VNC, and VS Code examples.
  • Evaluate agents and RL training workflows in repeatable sandbox environments.
  • Self-host sandbox infrastructure on Docker or Kubernetes with secure runtime and network isolation options.

Evidence of adoption:

  • As of 2026-05-05, the public GitHub repository has 10,000+ stars, 800+ forks, 60+ open issues, and active development.
  • The project has 90+ GitHub Releases across server, SDK, CLI, container, Kubernetes, and Helm targets.
  • Public packages include Python (opensandbox), CLI (opensandbox-cli), JavaScript/TypeScript (@alibaba-group/opensandbox), and C#/.NET (Alibaba.OpenSandbox).
  • OpenSandbox is listed in the CNCF Landscape.
  • The repository includes runnable examples for coding agents, browser automation, desktop environments, code interpreter workflows, Kubernetes volume mounts, and RL training.

Publicly disclosed production/customer-facing deployment:

  • Alibaba Cloud Lingyang / 瓴羊: Lingyang uses OpenSandbox’s Kubernetes/Helm-based deployment to provide sandbox environments for its customers. Lingyang is Alibaba’s enterprise digital-intelligence business, providing digital products and data services for enterprise growth scenarios. Public website: https://www.lydaas.com/

Public community usage signals:

OpenSandbox maintains a public “Who is using OpenSandbox” issue where external users and organizations have voluntarily disclosed usage, evaluation, or integration scenarios: alibaba/OpenSandbox#143

Examples include:

  • 兴趣岛, Guangzhou, China: using OpenSandbox for managing agent sandbox runtime.
  • Unicom Digital Technology Co., Ltd., Beijing, China: researching and testing OpenSandbox for agent platform code-execution nodes and agent skill execution with restricted security boundaries.
  • Laiye, Beijing, China: evaluating OpenSandbox as an E2B replacement through backend services and SDK calls to run Claude environments.
  • ArcherMind, Nanjing, China: evaluating OpenSandbox for deep-agent scenarios.
  • ICBC SDC, Hangzhou, China: disclosed agent-related usage.
  • Atome, Beijing, China: disclosed cloud-agent usage.
  • ICT, UCAS, Beijing, China: disclosed deep-research usage.
  • Independent developers in China and Indonesia have also reported using OpenSandbox as a code-execution sandbox for AI agent platforms.

We distinguish these public issue comments from confirmed production deployments unless the commenter explicitly states production use.

Technical Committee Sponsor (if identified)

No response

GitHub Repository URL

https://github.com/alibaba/OpenSandbox

License

Apache License 2.0

Governance Model

OpenSandbox governance is documented at:

https://github.com/alibaba/OpenSandbox/blob/main/GOVERNANCE.md

The current model includes:

  • Public development through GitHub Issues, GitHub Discussions, pull requests, and OpenSandbox Enhancement Proposals (OSEPs).
  • CODEOWNERS-based subsystem ownership for server, runtime components, Kubernetes, SDKs, specs, docs, and OSEPs.
  • Lazy consensus for normal technical decisions.
  • Project Maintainer majority vote when consensus cannot be reached.
  • OSEP process for major features, architectural changes, public API changes, runtime behavior changes, and security-model changes.
  • Public contribution, security, and code of conduct documents.

OpenSandbox is prepared to adopt AAIF-standard governance and technical charter requirements upon acceptance.

CI/CD & Release Workflow

CI/CD is implemented with GitHub Actions:

  • Server tests run Python linting and pytest coverage on Linux and Windows, plus Docker runtime smoke tests.
  • SDK tests cover CLI, Python SDKs, JavaScript/TypeScript SDKs, Kotlin SDKs, C# SDKs, and Go SDKs.
  • Real E2E workflows run Docker-backed sandbox workflows for Python, Java, JavaScript, C#, and Go clients.
  • Component workflows validate execd, ingress, egress, and Kubernetes behavior.
  • License header verification runs on pull requests.
  • Publish workflows exist for Python SDKs, JavaScript SDKs, Java/Kotlin SDKs, C# SDKs, CLI, server, components, Helm charts, and Kubernetes artifacts.
  • Generic release automation creates target-specific tags, release notes, GitHub Releases, signed source archives, SHA256SUMS, and GitHub/Sigstore attestations.

Releases are target-specific and tag-driven, using documented release automation in docs/release-automation.md.

Public-Facing Contribution Process for Specifications

OpenSandbox specifications are public OpenAPI documents under:

https://github.com/alibaba/OpenSandbox/tree/main/specs

Specification and major runtime/API changes are handled through:

Publicly Accessible Issue Tracker

https://github.com/alibaba/OpenSandbox/issues

External Project Dependencies

OpenSandbox’s direct dependencies are primarily permissive-licensed. Key dependencies include:

Area Dependencies Licenses
Python server/SDK/CLI FastAPI, Pydantic, HTTPX, Uvicorn, docker SDK, kubernetes client, redis-py, PyYAML, Click, Rich MIT, BSD-3-Clause, Apache-2.0
Go runtime/Kubernetes Kubernetes client-go/apimachinery/api, controller-runtime, Gin, Gorilla WebSocket, OpenTelemetry, gopsutil, miekg/dns, Testify Apache-2.0, MIT, BSD
JavaScript/TypeScript SDK openapi-fetch, undici, openapi-typescript, TypeScript, tsup, ESLint MIT, Apache-2.0
Java/Kotlin SDK Kotlin stdlib, kotlinx.serialization, OkHttp, SLF4J, JUnit Apache-2.0, MIT, EPL
C#/.NET SDK Microsoft.Extensions.Logging.Abstractions, System.Text.Json, PolySharp MIT
Runtime/platform integrations Docker/Moby, Kubernetes, Helm, OpenTelemetry Apache-2.0, MIT

Full dependency manifests are maintained in pyproject.toml, go.mod, package.json, Gradle files, and .csproj files across the repository.

Maintainers & Contributors

The current public maintainer list is represented by the repository-wide owners in CODEOWNERS:

Subsystem maintainers/code owners also include:

Additional contributors include @AlexandrePh, @liuxiaopai-ai, @Gujiassh, @wishhyt, @skyler0513, @ctlaltlaltc, @divyamagrawal06, @joaquinescalante23, and others.

Current maintainership and code ownership are primarily Alibaba-affiliated, as reflected in the repository CODEOWNERS file. The project is transparent about this current state and views AAIF Growth-stage participation as an opportunity to mature toward neutral, multi-stakeholder governance. OpenSandbox intends to expand maintainer authority to sustained external contributors and adopters through public contribution history, subsystem ownership, code review participation, and the OSEP process. The project is prepared to work with AAIF on any recommended governance updates, including clearer maintainer onboarding criteria and broader non-Alibaba maintainer representation.

Leadership Team & Decision Process

Leadership is currently handled by Project Maintainers listed through CODEOWNERS.

Decision process:

  • Day-to-day changes are handled by pull requests, CI, and affected-area maintainer review.
  • Component-level decisions are made by the maintainers responsible for that component.
  • Cross-cutting changes involving specs, SDKs, CLI behavior, lifecycle semantics, runtime isolation, ingress/egress, authentication, release process, or repository tooling require broader review.
  • Major design changes go through the public OSEP process.
  • The project prefers lazy consensus; unresolved decisions may be settled by a simple majority vote of participating Project Maintainers.

Roadmap

The 12-month roadmap is documented at:

https://github.com/alibaba/OpenSandbox/blob/main/ROADMAP.md

Current roadmap themes include:

  • Runtime: lightweight local sandbox, persistent volumes, secure container runtime hardening, pause/resume via rootfs snapshots, secure endpoint access.
  • SDK and developer experience: SDK parity across languages, client-side sandbox pool, CLI usability, developer console.
  • Observability and operations: OpenTelemetry metrics/logs, agent in-sandbox audit trail, Kubernetes deployment maturity, network isolation guidance.
  • Public contracts and governance: lifecycle API stability, security documentation, and continued open governance.

Security

OpenSandbox has an OpenSSF Best Practices Silver badge:

https://www.bestpractices.dev/projects/12588

Security practices include:

  • Public SECURITY.md with GitHub Security Advisory and email reporting paths.
  • Target response process with acknowledgment within 48 hours.
  • Signed public release outputs using GitHub/Sigstore attestations, cosign keyless container signatures, and Maven Central package signatures where applicable.
  • Secure container runtime documentation for gVisor, Kata Containers, and Firecracker.
  • Network isolation and egress policy documentation.
  • License header verification in CI.
  • E2E test coverage for sandbox execution workflows.
  • Public release verification documentation.

Website URL

https://open-sandbox.ai

Documented Governance Practices (if any)

Links to Social Media Accounts

No response

Details of Existing Financial Sponsorship

No response

Infrastructure Needs or Requests

No response

Additional Information

Preferred lifecycle stage: Growth.

OpenSandbox is already active, public, Apache-2.0 licensed, documented, and used by developers building agentic AI systems. The project is still maturing its public governance, production adopter documentation, and diverse maintainership. Growth stage is a good fit because AAIF mentorship can help OpenSandbox formalize vendor-neutral governance, expand maintainership beyond the initial Alibaba-led team, and align its sandbox APIs and execution model with the broader AAIF ecosystem.

The project is prepared to work with AAIF staff and the Technical Committee on any requested governance, contribution agreement, trademark, infrastructure, or documentation changes required for acceptance.

Metadata

Metadata

Assignees

Labels

Under ReviewProposal is being actively reviewed by AAIF staff or prepared for a TC meeting.

Type

No type

Fields

No fields configured for issues without a type.

Projects

Project-Proposals-Board

Status

🔜 Upcoming

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions