Open-source sandboxes for AI agents — run untrusted, AI-generated code safely on your own machine. Backed by Apple Containers, with an E2B-style TypeScript SDK.
Tupper gives AI agents an isolated environment to execute code, run shell commands, and read and write files — without putting the host at risk. It's a self-hostable, platform-agnostic alternative to hosted code-execution sandboxes like E2B, Daytona, and Modal: the same E2B-style SDK, but running on your own machine through Apple Containers on macOS today (with Firecracker for Linux and WSL for Windows on the way).
Note
Tupper is in early development. @tupper/core, @tupper/container, and @tupper/sdk are functional; APIs may change before 1.0.
- Features
- Requirements
- Installation
- Quick start
- Packages
- Architecture
- How sandboxing compares
- FAQ
- Documentation
- Roadmap
- Contributing
- License
- One SDK, every OS — write your agent code once; Tupper selects the right sandbox runtime for the host automatically (Apple Containers on macOS, Firecracker on Linux, WSL on Windows). New platforms are drop-in — backends self-register on import.
- E2B-style SDK —
Sandbox.create(),commands.run(),files.*, plus reconnect and lifecycle control. - Native macOS sandboxing — Apple Containers via the
containerCLI, with no Docker daemon required. - Runs on Node or Bun — a lean core (Zod its only runtime dependency); source uses Node built-ins only and ships no
Bun.*APIs, so it runs unchanged on either runtime. - Agent-framework ready — drop-in sandbox backends for deepagents and Mastra, plus a Model Context Protocol server, a CLI, and an HTTP API.
- macOS 26+ with Apple's
containerCLI for the default backend (start it once withcontainer system start). - Node 18+ or Bun 1.1+ to consume the packages.
# Bun
bun add @tupper/sdk @tupper/container
# npm
npm install @tupper/sdk @tupper/containerInstall the sandbox backend for your platform alongside the SDK — it is an optional peer dependency (@tupper/container on macOS).
import { Sandbox } from "@tupper/sdk";
const box = await Sandbox.create({ image: "docker.io/library/alpine:latest" });
try {
await box.files.write("/tmp/hi.txt", "hello");
const res = await box.commands.run("cat /tmp/hi.txt");
console.log(res.stdout); // "hello"
} finally {
await box.kill();
}More in Getting started and the SDK reference.
| Package | Version | Description |
|---|---|---|
@tupper/core |
 |
Backend-agnostic sandbox abstraction, shared types, Zod schemas, and dynamic backend resolution. |
Self-register on import; @tupper/core selects one for the host platform.
| Package | Version | Description |
|---|---|---|
@tupper/container |
 |
Apple Containers (container CLI, macOS 26+). |
@tupper/firecracker |
 |
Firecracker microVMs for Linux (nerdctl / firecracker-containerd). 🧪 Experimental. |
@tupper/wsl |
— | WSL for Windows. 🔜 Planned. |
Ways to drive sandboxes, all built on @tupper/sdk.
| Package | Version | Description |
|---|---|---|
@tupper/sdk |
 |
E2B-style Sandbox facade over core — the main programmatic API. |
@tupper/cli |
 |
tupper command-line interface. |
@tupper/api |
 |
HTTP API over the SDK (Hono). |
@tupper/mcp |
 |
Model Context Protocol server. |
Drop-in sandbox backends for agent frameworks.
| Package | Version | Description |
|---|---|---|
@tupper/deepagents |
 |
LangChain deepagents sandbox backend. |
@tupper/mastra |
 |
Mastra WorkspaceSandbox backend. |
flowchart TB
subgraph backends["Backends — self-register on import"]
container["@tupper/container<br/>Apple Containers ✅"]
firecracker["@tupper/firecracker<br/>Linux 🧪"]
wsl["@tupper/wsl<br/>Windows 🔜"]
end
core["@tupper/core<br/>abstraction · types · schemas · runtime backend resolution"]
sdk["@tupper/sdk<br/>E2B-style Sandbox facade"]
subgraph consumers["Consumers"]
cli["@tupper/cli"]
api["@tupper/api"]
mcp["@tupper/mcp"]
adapters["@tupper/deepagents · mastra"]
end
container -. registers .-> core
firecracker -. registers .-> core
wsl -. registers .-> core
sdk --> core
cli --> sdk
api --> sdk
mcp --> sdk
adapters --> sdk
@tupper/core never statically imports a backend — it selects one at runtime from the host platform (darwin → @tupper/container, linux → @tupper/firecracker, win32 → @tupper/wsl) and backends self-register on import, so adding a platform is drop-in. You can override the choice with Sandbox.create({ backend: "@tupper/firecracker" }). See Architecture for details.
Sandboxes trade boot speed for isolation strength, and they differ in whether they hand you a full OS image or just confine a host process. Tupper isn't a hosted service like E2B, Daytona, or Modal — it runs locally — so the fair comparison is by isolation approach, with each tool placed in its tier:
| Approach | OCI image | Kernel | Boundary | Boot (class) | Examples |
|---|---|---|---|---|---|
| Process sandbox | ❌ | shared | host kernel | ~instant (µs–ms) | macOS Seatbelt · Linux seccomp / Landlock · Windows AppContainer |
| Container, shared kernel | ✅ | shared | host kernel | ~tens of ms | Docker · Daytona |
| microVM / VM-per-container | ✅ | own | hardware VM | ~100–300 ms | Firecracker (E2B) · Apple Containers (Tupper) · WSL2 · gVisor (Modal) † |
Tupper sits in the top tier — every sandbox gets its own kernel and runs a full OCI image — but on your own machine, using the OS's native virtualization (Apple's Virtualization.framework today; Firecracker/KVM and WSL2/Hyper-V planned). Native process sandboxes like Seatbelt and AppContainer start instantly but can't run an image or give an agent a clean Linux box to pip install into; Tupper trades a few hundred milliseconds of boot for that full, disposable environment.
† gVisor is a user-space kernel, sitting between containers and full VMs. Boot figures are the underlying runtimes' published numbers (not a Tupper benchmark) and vary by image, configuration, and host. Sources: Apple Containers · Firecracker · E2B & Daytona · Modal · Windows Sandbox
An isolated environment where an LLM agent can execute code and shell commands without access to your host machine — limiting the blast radius of untrusted or AI-generated code so a misbehaving agent can't read your files, reach your network, or break your system.
Those services run your agent's code in their cloud and bill per use. Tupper offers the same kind of SDK but runs sandboxes locally on your own machine — no cloud account, no per-sandbox network latency, and your code never leaves your infrastructure. It's earlier-stage and single-host by design.
No. On macOS, Tupper uses Apple's native container runtime — no Docker daemon. It runs any Linux OCI image, so your agent can use Python, Node.js, Go, and more.
Yes — @tupper/deepagents and @tupper/mastra provide ready-made sandbox backends for those frameworks. For any other client, @tupper/mcp exposes sandboxes over the Model Context Protocol.
- Getting started — prerequisites, install, your first sandbox.
- SDK reference — the
@tupper/sdkSandboxAPI. - Architecture — layering and runtime backend resolution.
- Available —
@tupper/core,@tupper/container(macOS),@tupper/sdk,@tupper/firecracker(Linux, experimental),@tupper/deepagents,@tupper/mastra,@tupper/cli,@tupper/api,@tupper/mcp. ✅ - Planned —
@tupper/wsl(Windows).
Contributions are welcome! Please read CONTRIBUTING.md and our Code of Conduct. Found a vulnerability? Follow our security policy.
git clone https://github.com/lightbearco/tupper.git
cd tupper
bun install
bun testMIT © Tupper contributors
Keywords: AI agent sandbox · sandboxed code execution · code interpreter · run untrusted code · E2B alternative · Apple Containers · Firecracker · WSL · LLM agent runtime · self-hosted sandbox · TypeScript