Architecture

The runtime

┌─── Host (Linux + KVM) ───────────────────────────────────────────┐
│                                                                   │
│  Your agent framework (LangChain, Mastra, CrewAI, custom)         │
│        │  gRPC / REST                                             │
│        ▼                                                          │
│  ┌─ ne-api (unprivileged, the front door) ──┐                     │
│  └───────────────┬──────────────────────────┘                     │
│                  │ Unix socket (peer-cred auth)                    │
│  ┌───────────────▼──────────────────────────┐                     │
│  │ ne-supervisor (privileged)               │                     │
│  │   ├─ Firecracker microVM (per workspace) │ ← standard tier     │
│  │   │   └─ guest agent over vsock          │                     │
│  │   ├─ L7 privacy router (PII, egress)     │                     │
│  │   └─ signed audit chain                  │                     │
│  └──────────────────────────────────────────┘                     │
│                                                                   │
│  Confidential tier: the whole host is a SEV-SNP CVM; the          │
│  workspace runs directly in it, memory-encrypted + attested.       │
└───────────────────────────────────────────────────────────────────┘

What each workspace gets

Every workspace — regardless of tier

  • A separate execution boundary (kernel or Landlock/seccomp/netns sandbox)
  • A network namespace with deny-by-default egress
  • An L7 privacy router (OPA/Rego + PII redaction + supply-chain enforcement)
  • A signed audit event for every action
  • Snapshot / fork / warm-pool primitives for agent planning loops

The two tiers

Standard vs. Confidential

Standard tier

Firecracker microVM (default)

Isolation
Separate kernel (hardware virtualization)
Boot
~150ms cold; ~2ms warm-pool hit
Trust model
Host operator is trusted (no encryption)

Confidential tier

Verified

single-CVM-direct (B)

Isolation
SEV-SNP encryption + Landlock/seccomp/netns
Attestation
2-layer binding: VCEK→ARK + TPM-Quote nonce
Trust model
Operator-excluded. TCB = paravisor + UEFI digest

The API

The surface

Python SDK
from ne import Client

c = Client("http://127.0.0.1:8080")

# Create a workspace (standard tier by default)
ws = c.create_workspace("my-agent", kernel_image_path="...", rootfs_image_path="...")

# Run a command in the sandboxed workspace
result = c.execute_command(ws.workspace_id, command="pip", args=["install", "requests"])
print(result.stdout)

# Write a file into the workspace
c.write_file(ws.workspace_id, path="main.py", content=b"print('hello')")

# Snapshot + fork (for agent planning loops)
snap = c.snapshot(ws.workspace_id)
forked = c.fork_workspace(snap.snapshot_id, new_workspace_id="plan-b")

# Destroy
c.destroy_workspace(ws.workspace_id)