confidential agent execution

Hardware-attested agent execution.

Give every AI agent a hardware-isolated, governed sandbox — with optional confidential computing so even the host operator can't read the agent's memory. Self-hosted. Apache-2.0.

curl -fsSL https://github.com/Infrastacks/neuronedge.ai/releases/latest/download/install.sh | sh
  • Apache-2.0
  • Rust
  • Firecracker
  • SEV-SNP verified on silicon

/runtime/options

Every agent execution option has a catch

NeuronEdge Enclave is the fourth option — self-hosted Firecracker microVMs with optional hardware-attested confidential mode. You own the infrastructure; the agent can't escape it.

the catch

Containers (Docker, gVisor)

Share a kernel with the host. Container escapes are real — and agent-generated code is exactly the threat model where a shared-kernel boundary isn't enough.

the catch

Managed sandboxes (E2B, Modal)

Solve isolation but move your data to someone else's infrastructure. Regulated enterprises routinely can't get them approved: residency, DPAs, attestation gaps.

the catch

No boundary

Agents run on the developer's laptop or a shared CI runner. The blast radius of a compromised agent is the whole machine.

the fourth option

NeuronEdge Enclave

Separate kernel per workspace, optional SEV-SNP encryption + attestation. Self-hosted, open-source, governed.

/runtime/thesis

Four words, each load-bearing

hardware-attested
Secrets are released only when attestation evidence matches policy. Proven on Azure DCasv5 silicon.
agent execution
Primitives (create / exec / snapshot / fork / destroy) built for agent planning loops, not human dev environments.
customer-owned
A self-hostable binary. Single-host for evaluation, multi-host for production. Your infrastructure.
apache-2.0
The runtime is open-source forever. No vendor lock-in on the execution layer.

/runtime/status

The runtime is feature-complete for v0.1

Twelve units, ten shipping today, confidential mode verified on silicon.

$nee runtime status12 units
  • Firecracker microVM isolation (separate kernel per workspace)shipping
  • gRPC + REST API + Python/TypeScript SDKsshipping
  • Per-workspace networking (netns + TAP + deny-by-default egress)shipping
  • L7 privacy router (PII redaction, credential rewriting, supply-chain enforcement)shipping
  • Signed, independently-verifiable audit event streamshipping
  • Snapshot / restore / fork / live-state snapshotshipping
  • Warm pool (pre-forked microVMs, ~2ms pool-hit create)shipping
  • Host-based ingress routingshipping
  • Single-binary self-host install + hardened systemd unitsshipping
  • Confidential mode (AMD SEV-SNP, single-CVM-direct, attested key release)verified
  • Intel TDX confidential modeplanned
  • Per-microVM hardware attestation (bare-metal SNP)v2

/runtime/tiers

Standard and confidential, one runtime

Selected by a single environment variable. Nothing else in your code changes.

Standard tier

default
NE_CONFIDENTIAL_MODE=0

Each workspace is a Firecracker microVM with its own kernel. Real isolation for multi-tenant or untrusted-code workloads.

Confidential tier

DCasv5
NE_CONFIDENTIAL_MODE=1

The workspace runs inside an AMD SEV-SNP CVM. Memory is encrypted, the cloud operator is excluded, and key release is gated on hardware-rooted attestation evidence.

same API · same SDKs · same audit surface

/runtime/attestation

How the proof is made

Confidential mode is a chain of trust. Each link is checked before anything downstream is trusted — including the secrets your agent needs.

  1. boot

    microVM boots

    fresh kernel under KVM

  2. measure

    code measured

    kernel + rootfs hashed

  3. attest

    SEV-SNP attests

    hardware-signed quote

  4. verify

    evidence verified

    checked against policy

  5. release

    key released

    only on a policy match

  6. sign

    event signed

    appended to audit chain

/runtime/foundations

Built on credible foundations

$cat foundations.toml

# production-credible, Apache-2.0, battle-tested

[dependencies]

Run your next agent in a hardware-isolated, governed sandbox.

Looking for design partners — regulated enterprises (finance, healthcare, government) evaluating confidential agent execution. If your CISO has blocked an agent deployment on isolation or attestation grounds, we'd like to talk.

eng@infrastacks.com →