Apache-2.0RustFirecrackerAMD SEV-SNP verified on silicon

Hardware-attested agent execution. Self-hosted. Apache-2.0.

Give every AI agent a hardware-isolated, governed sandbox — with optional confidential computing so even the host operator can't read the agent's memory.

Get startedStar on GitHub ↗
$curl -fsSL https://github.com/Infrastacks/neuronedge.ai/releases/latest/download/install.sh | sh

The problem

Today's agent execution options each have a catch

NeuronEdge Enclave is the fourth option.

1

Containers (Docker, gVisor)

Share a kernel with the host. Container escapes are real — agent-generated code is exactly where a shared-kernel boundary isn't enough.

2

Managed sandboxes (E2B, Modal)

Solve isolation but move your data to someone else's infrastructure. Regulated enterprises can't approve them.

3

No boundary

Agents run on the developer's laptop. The blast radius of a compromised agent is the whole machine.

4

NeuronEdge Enclave

Self-hosted Firecracker microVMs + optional SEV-SNP confidential mode. You own the infrastructure; the agent can't escape it.

What you get

The runtime is feature-complete for v0.1

  • Firecracker microVM isolation (separate kernel per workspace)
  • gRPC + REST API + Python/TypeScript SDKs
  • Per-workspace networking (netns + TAP + deny-by-default egress)
  • L7 privacy router (PII redaction, credential rewriting, supply-chain enforcement)
  • Signed, independently-verifiable audit event stream
  • Snapshot / restore / fork / live-state snapshot
  • Warm pool (pre-forked microVMs, ~2ms pool-hit create)
  • Host-based ingress routing
  • Single-binary self-host install + hardened systemd units
  • Confidential mode (AMD SEV-SNP, single-CVM-direct, attested key release)
  • Intel TDX confidential mode
  • Per-microVM hardware attestation (bare-metal SNP)

Two tiers, one runtime

Standard + Confidential

Selected by a single env var. Same API, same SDKs, same audit surface.

Standard tier

the default

Each workspace is a Firecracker microVM with its own kernel. Real isolation for multi-tenant or untrusted-code workloads.

Confidential tier

Verified on DCasv5

NE_CONFIDENTIAL_MODE=1

The workspace runs inside an AMD SEV-SNP CVM. Memory is encrypted; the cloud operator is excluded; key release is gated on hardware-rooted attestation evidence.

Built on credible foundations

Production-credible, Apache-2.0, battle-tested

NVIDIA OpenShell

Agent-sandbox governance (Landlock/seccomp/netns + L7 OPA + PII + supply-chain)

AWS Firecracker

The microVM substrate that powers AWS Lambda

AMD SEV-SNP

Hardware memory encryption + attestation

Rust

Top-to-bottom. Memory-safe infrastructure.

Run your next agent in a hardware-isolated, governed sandbox.

Install NeuronEdge EnclaveRead the threat model

Looking for design partners — regulated enterprises evaluating confidential agent execution.

eng@infrastacks.com →