confidential agent execution
Hardware-attested agent execution.
Give every AI agent a hardware-isolated, governed sandbox — with optional confidential computing so even the host operator can't read the agent's memory. Self-hosted. Apache-2.0.
curl -fsSL https://github.com/Infrastacks/neuronedge.ai/releases/latest/download/install.sh | sh- Apache-2.0
- Rust
- Firecracker
- SEV-SNP verified on silicon
/runtime/options
Every agent execution option has a catch
NeuronEdge Enclave is the fourth option — self-hosted Firecracker microVMs with optional hardware-attested confidential mode. You own the infrastructure; the agent can't escape it.
Containers (Docker, gVisor)
Share a kernel with the host. Container escapes are real — and agent-generated code is exactly the threat model where a shared-kernel boundary isn't enough.
Managed sandboxes (E2B, Modal)
Solve isolation but move your data to someone else's infrastructure. Regulated enterprises routinely can't get them approved: residency, DPAs, attestation gaps.
No boundary
Agents run on the developer's laptop or a shared CI runner. The blast radius of a compromised agent is the whole machine.
NeuronEdge Enclave
Separate kernel per workspace, optional SEV-SNP encryption + attestation. Self-hosted, open-source, governed.
/runtime/thesis
Four words, each load-bearing
- hardware-attested
- Secrets are released only when attestation evidence matches policy. Proven on Azure DCasv5 silicon.
- agent execution
- Primitives (create / exec / snapshot / fork / destroy) built for agent planning loops, not human dev environments.
- customer-owned
- A self-hostable binary. Single-host for evaluation, multi-host for production. Your infrastructure.
- apache-2.0
- The runtime is open-source forever. No vendor lock-in on the execution layer.
/runtime/status
The runtime is feature-complete for v0.1
Twelve units, ten shipping today, confidential mode verified on silicon.
- Firecracker microVM isolation (separate kernel per workspace)shipping
- gRPC + REST API + Python/TypeScript SDKsshipping
- Per-workspace networking (netns + TAP + deny-by-default egress)shipping
- L7 privacy router (PII redaction, credential rewriting, supply-chain enforcement)shipping
- Signed, independently-verifiable audit event streamshipping
- Snapshot / restore / fork / live-state snapshotshipping
- Warm pool (pre-forked microVMs, ~2ms pool-hit create)shipping
- Host-based ingress routingshipping
- Single-binary self-host install + hardened systemd unitsshipping
- Confidential mode (AMD SEV-SNP, single-CVM-direct, attested key release)verified
- Intel TDX confidential modeplanned
- Per-microVM hardware attestation (bare-metal SNP)v2
/runtime/tiers
Standard and confidential, one runtime
Selected by a single environment variable. Nothing else in your code changes.
Standard tier
defaultEach workspace is a Firecracker microVM with its own kernel. Real isolation for multi-tenant or untrusted-code workloads.
Confidential tier
DCasv5The workspace runs inside an AMD SEV-SNP CVM. Memory is encrypted, the cloud operator is excluded, and key release is gated on hardware-rooted attestation evidence.
same API · same SDKs · same audit surface
/runtime/attestation
How the proof is made
Confidential mode is a chain of trust. Each link is checked before anything downstream is trusted — including the secrets your agent needs.
- boot
microVM boots
fresh kernel under KVM
- measure
code measured
kernel + rootfs hashed
- attest
SEV-SNP attests
hardware-signed quote
- verify
evidence verified
checked against policy
- release
key released
only on a policy match
- sign
event signed
appended to audit chain
/runtime/foundations
Built on credible foundations
# production-credible, Apache-2.0, battle-tested
[dependencies]
- openshell = "agent-sandbox governance — Landlock/seccomp/netns + L7 OPA"↗
# NVIDIA OpenShell, forked
features = ["pii-redaction", "supply-chain"]
Infrastacks contributions to the fork
- firecracker = "the microVM substrate that powers AWS Lambda"↗
- amd-sev-snp = "hardware memory encryption + attestation"→
- rust = "memory-safe infrastructure, top to bottom"→
Run your next agent in a hardware-isolated, governed sandbox.
Looking for design partners — regulated enterprises (finance, healthcare, government) evaluating confidential agent execution. If your CISO has blocked an agent deployment on isolation or attestation grounds, we'd like to talk.
eng@infrastacks.com →