Hardware-isolated sandboxes
for AI agents.

One Cloud Hypervisor microVM per sandbox. Drop-in for the E2B and Daytona SDKs. Apache 2.0, self-hostable.

Why Platinum

▸ Real isolation
One Cloud Hypervisor microVM per sandbox. KVM is the boundary — kernel CVE blast radius stops at the VM. Not gVisor. Not Firecracker-in-a-container. Not a chroot.
▸ vsock-only guest
The in-VM agent listens on AF_VSOCK only. A compromised sandbox can't reach its neighbour's /exec — no TCP, no shared L2.
▸ No kernel mods
Stock distro kernel. No DKMS, no out-of-tree drivers, no signed-module dance. You can boot the host with Secure Boot on.
▸ Cross-host by default
Pause in PAR1, resume in PAR2. Archive offloads to S3-compatible storage; the scheduler re-picks a host on resume. Continuous backup with a 4 ms pause window.
▸ API parity
Drop-in for E2B and Daytona SDKs. We accept E2B's templateID body shape, expose /pause, /resume, /files/watch, etc.
▸ Agent-native
MCP server, llms.txt, OpenAPI 3.1, agent skill (npx skills add). Drops into Claude Code, Cursor, Windsurf in one line.
▸ virtio-fs share
Every sandbox gets a host↔guest share at /mnt/dnah-share. Bulk file transfer goes through the host page cache, not framed JSON. Works while the sandbox is paused.
▸ Signed snapshots
Ed25519 signature over (sandbox_id, snapshot_id, manifest_hash, size, ts). Restore rejects unsigned or tampered images. Key rotation via kid.
▸ Add hosts from dashboard
Mint a one-time bootstrap token, run curl /install.sh | sudo bash on a fresh Ubuntu box. Host self-registers in ~5 s. No Ansible.

Lifecycle

Two presets over the underlying auto_stop_minutes / auto_archive_days / auto_delete_days columns. Pick type at create; explicit values always win.

type auto-stop auto-archive auto-delete Use for
persistent (default) 0 0 0 Long-lived dev workspaces — never auto-anything.
ephemeral 15 min idle 7 d stopped 30 d archived Agent runs, CI jobs, throwaway compute (Daytona defaults).
Activity = any route that touches the guest (/exec, /run-code, /files, /sessions, /git, /metrics, /terminal, /snapshot, /share). Detail reads and listings don't count.

Performance

Path What's happening P50 P95
Warm allocationPool claim — Postgres row flip, no spawn14 ms24 ms
Cold spawnReflink rootfs · TAP · CH boot · vsock RPC up98 ms313 ms
First exec (warm)create → exec returning exit 022 ms39 ms
/exec roundtripFramed-JSON RPC over vsock4 ms5 ms
Resume from stop-snapMemory + disk restore, identity preserved309 ms
Restore signed snapshotEd25519 verify · CH --restore · resume1.0 s
ForkSnapshot + clone in one call66 ms
Sequential throughput100× create+delete, pool refills26.3 /s

Architecture

CLIENT SDK · CLI · MCP curl · @platinum/sdk · skill CONTROL PLANE CP BOX Caddy :443 Bun :3000 scheduler · warm pool · reconciler billing · audit · webhook retry · backups snapshot signer (Ed25519, JWK published) Postgres — orgs · sandboxes · audit · webhooks · billing single source of truth; reconciler reads · routes write HTTPS · Bearer · cookie session SANDBOX HOST BARE METAL · KVM · STOCK KERNEL edge-proxy :80 <port>-<sbx>.<host>.nip.io HMAC token · auto-resume on hit virtiofsd per-sandbox · exports <jail>/share via virtio-fs host-agent (Go, root) ▸ spawns cloud-hypervisor per sandbox ▸ TAP/IP allocator on dnah-br0 (10.42/16) ▸ XFS reflink rootfs · KSM dedup · S3 archive ▸ vsock-rpc proxy :18048 (TLS+mTLS+bearer) ▸ /v1/share/* — direct host FS ops, no vsock ▸ GPU VFIO passthrough · hot volume attach CH microVM per sandbox invm-agent (Go, 2.8 MB) listens on AF_VSOCK :18047 /mnt/dnah-share virtio-fs /dev/vda virtio-blk · rootfs eth0 virtio-net · 10.42.X.Y mTLS · bearer · nft IP-allowlist FOUR PLANES INTO THE GUEST control RPC AF_VSOCK :18047 · framed-JSON exec · stat · sessions · snapshot ~4 ms roundtrip · no TCP /v1/sandboxes/:id/{exec, files, sessions} bulk file virtio-fs · /mnt/dnah-share host page cache · zero JSON works while VM is paused /v1/sandboxes/:id/share/* block storage virtio-blk · /dev/vd{a,b,c…} XFS reflink rootfs · O(1) clone live add-disk for hot volumes /v1/volumes/:id/attach network virtio-net · dnah-br0 10.42.0.0/16 · nft egress per sbx cross-sandbox L2 drop /v1/sandboxes/:id/{expose, egress-policy}
The neighbour-VM blast radius stops at KVM. The host-agent never opens a TCP socket to the in-VM agent — control RPC crosses on AF_VSOCK, bulk files cross on virtio-fs, disks on virtio-blk, network on virtio-net. Each plane is independently auditable.