A lightweight library for secure Node.js execution.
No containers, no VMs — just npm-compatible sandboxing out of the box.
Powered by the same tech as Cloudflare Workers.
Documentation — API Reference — Discord
npm install secure-exec
Give your agent the ability to write and run code safely. This example uses the Vercel AI SDK, but secure-exec works with any tool-use framework.
import { generateText, stepCountIs, tool } from "ai";
import { anthropic } from "@ai-sdk/anthropic";
import { NodeRuntime, createNodeDriver, createNodeRuntimeDriverFactory } from "secure-exec";
import { z } from "zod";
const runtime = new NodeRuntime({
systemDriver: createNodeDriver({
permissions: {
fs: () => ({ allow: true }),
network: () => ({ allow: true }),
},
}),
runtimeDriverFactory: createNodeRuntimeDriverFactory(),
memoryLimit: 64,
cpuTimeLimitMs: 5000,
});
const { text } = await generateText({
model: anthropic("claude-sonnet-4-6"),
prompt: "Calculate the first 20 fibonacci numbers",
stopWhen: stepCountIs(5),
tools: {
execute: tool({
description: "Run JavaScript in a secure sandbox. Assign the result to module.exports to return data.",
inputSchema: z.object({ code: z.string() }),
execute: async ({ code }) => runtime.run(code),
}),
},
});
console.log(text);Give your AI agent the ability to write and run code safely.
- No infrastructure required — No Docker daemon, no hypervisor, no orchestrator. Runs anywhere Node.js, Bun, or an HTML5 browser runs. Deploy to Lambda, a VPS, or a static site — your existing deployment works.
- Node.js & npm compatibility — fs, child_process, http, dns, process, os — bridged to real host capabilities, not stubbed. Run Express, Hono, Next.js, and any npm package. Compatibility matrix →
- Built for AI agents — Give your AI agent the ability to write and run code safely. Works with the Vercel AI SDK, LangChain, and any tool-use framework.
- Deny-by-default permissions — Filesystem, network, child processes, and env vars are all blocked unless explicitly allowed. Permissions are composable functions — grant read but not write, allow fetch but block spawn.
- Configurable resource limits — CPU time budgets and memory caps. Runaway code is terminated deterministically with exit code 124 — no OOM crashes, no infinite loops, no host exhaustion.
- Powered by V8 isolates — The same isolation primitive behind Cloudflare Workers for Platforms and every browser tab. Battle-tested at scale by the infrastructure you already trust.
V8 isolates vs. sandboxes.
| Percentile | Secure Exec | Fastest sandbox |
|---|---|---|
| p50 | 16.2 ms | 440 ms |
| p95 | 17.9 ms | 950 ms |
| p99 | 17.9 ms | 3,150 ms |
Methodology
What's measured: Time from requesting an execution to first code running.
Why the gap: Secure Exec spins up a V8 isolate inside the host process. No container, no VM, no network hop. Sandboxes must boot an entire container or microVM, allocate memory, and establish a network connection before code can run.
Sandbox baseline: e2b, the fastest provider on ComputeSDK as of March 18, 2026.
Secure Exec: Median of 10,000 runs (100 iterations × 100 samples) on Intel i7-12700KF.
| Runtime | Memory |
|---|---|
| Secure Exec | ~3.4 MB |
| Sandbox provider minimum | ~256 MB |
Methodology
What's measured: Memory footprint added per concurrent execution.
Why the gap: V8 isolates share the host process and its V8 engine. Each additional execution only adds its own heap and stack (~3.4 MB). Sandboxes allocate a dedicated container with a minimum memory reservation, even if the code inside uses far less.
What this means: On a 1 GB server, you can run ~210 concurrent Secure Exec executions vs. ~4 sandboxes.
Sandbox baseline: 256 MB, the smallest minimum among popular providers (Modal, Cloudflare Containers) as of March 18, 2026.
Secure Exec: 3.4 MB, the converged average per execution under sustained load.
| Hardware | Secure Exec | vs. cheapest sandbox ($0.000625/s) |
|---|---|---|
| AWS ARM | $0.000011/s | 56x cheaper |
| AWS x86 | $0.000014/s | 45x cheaper |
| Hetzner ARM | $0.0000016/s | 380x cheaper |
| Hetzner x86 | $0.0000027/s | 232x cheaper |
Methodology
What's measured: server price per second ÷ concurrent executions per server
Why it's cheaper: Each execution uses ~3.4 MB instead of a 256 MB container minimum. And you run on your own hardware, which is significantly cheaper than per-second sandbox billing.
Sandbox baseline: Cloudflare Containers, the cheapest sandbox provider benchmarked. Billed at $0.0000025/GiB·s with a 256 MB minimum (March 18, 2026).
Secure Exec: 3.4 MB baseline per execution, assuming 70% utilization.
Not every workload needs a full OS. Secure Exec gives you V8-level isolation for code execution — no container required.
- Secure Exec — Run untrusted code (Node.js, Python) inside your backend process
- Sandboxes — Spin up a full OS with root access, system packages, and persistent disk
| Secure Exec | Sandbox | |
|---|---|---|
| Performance | ✅ Native V8 | ✅ Native container |
| Permissions | ✅ Granular deny-by-default | ❌ Coarse-grained |
| Setup | ✅ Just npm install — no vendor account |
❌ Vendor account required |
| Infrastructure | ✅ Run on any cloud or hardware | ❌ Hardware lock-in |
| Egress | ✅ No egress fees | ❌ Per-GB egress fees |
| API keys | ✅ None | ❌ Required |
Need a full sandboxed operating system? We've got that too.
The Sandbox Agent SDK lets you run coding agents in sandboxes and control them over HTTP. Supports Claude Code, Codex, OpenCode, Amp, and Pi. Works with E2B, Daytona, Vercel, Docker, and Cloudflare.
How does it work?
Secure Exec runs untrusted code inside V8 isolates — the same isolation primitive that powers every Chromium tab and Cloudflare Workers. Each execution gets its own heap, its own globals, and a deny-by-default permission boundary. There is no container, no VM, and no Docker daemon — just fast, lightweight isolation using battle-tested web technology. Architecture →
Does this require Docker, nested virtualization, or a hypervisor?
No. Secure Exec is a pure npm package — npm install secure-exec is all you need. It has zero infrastructure dependencies: no Docker daemon, no hypervisor, no orchestrator, no sidecar. It runs anywhere Node.js or Bun runs.
Can it run in serverless environments?
We are actively validating serverless platforms, but Secure Exec should work everywhere that provides a standard Node.js-like runtime. This includes Vercel Fluid Compute, AWS Lambda, and Google Cloud Run. Cloudflare Workers is not supported because it does not expose the V8 APIs that Secure Exec relies on.
When should I use a sandbox vs. Secure Exec?
Use Secure Exec when you need fast, lightweight code execution — AI tool calls, code evaluation, user-submitted scripts — without provisioning infrastructure. Use a sandbox (e2b, Modal, Daytona) when you need a full operating-system environment with persistent disk, root access, or GPU passthrough. Full comparison →
Can I run npm install in Secure Exec to dynamically install modules?
Yes. Secure Exec supports dynamic module installation via npm inside the execution environment.
Can I use it to run dev servers like Express, Hono, or Next.js?
Yes. Secure Exec bridges Node.js APIs including http, net, and child_process, so frameworks like Express, Hono, and Next.js work out of the box. For production deployments, pair Secure Exec with Rivet Actors to get built-in routing, scaling, and lifecycle management for each server instance.
Can it be used for long-running tasks?
Yes. For orchestrating stateful, long-running tasks, we recommend pairing Secure Exec with Rivet Actors. Rivet Actors provide durable state, automatic persistence, and fault-tolerant orchestration — so each long-running task survives restarts and can be monitored, paused, or resumed without you building that infrastructure yourself.
What are common use cases?
- AI agent code execution and tool use
- User-facing dev servers (Express, Hono, Next.js)
- MCP tool-code execution
- Sandboxed plugin / extension systems
- Interactive coding playgrounds
Does this have Node.js compatibility?
Yes. Most Node.js core modules work — including fs, child_process, http, dns, process, and os. These are bridged to real host capabilities, not stubbed. Compatibility matrix →
Does this have access to a full operating system?
Yes. Secure Exec includes a virtual kernel with a system bridge that supports a granular permission model. Filesystem, network, child processes, and environment variables are all available — gated behind deny-by-default permissions.
Does Secure Exec support JIT compilation?
Yes. Secure Exec runs on native V8 isolates, so your code is JIT-compiled by V8's TurboFan optimizing compiler — the same pipeline that powers Chrome and Node.js. This means full optimization tiers, inline caching, and speculative optimization out of the box.
How does Secure Exec compare to WASM-based JavaScript runtimes like QuickJS?
WASM-based runtimes like QuickJS (via quickjs-emscripten) compile a separate JS engine to WebAssembly, which means your code runs through an interpreter inside WASM — not native V8. Secure Exec uses native V8 isolates directly, so you get the same JIT-compiled performance as JavaScript running on the host. No interpretation overhead, no WASM translation layer, and full Node.js API compatibility.
Apache-2.0