A JavaScript sandbox for your AI agent
Compose filesystems, processes, and packages in a Plan 9-inspired runtime. Runs in Node.js and the browser.
Packages
The distribution primitive. Bundles of code, assets, and metadata that compose into extensions. Install from a registry or embed directly. JS packages evaluate in-process while WASM packages run in isolated linear memory with full VFS routing.
JS Packages
ESM bundles evaluated by the runtime evaluator. Export an Extension that wires bins, fileservers, and init services into the system image. Hot-reloading and tree-shaking built into the pipeline.
WASM Packages
Compiled .wasm binary alongside a thin JS harness. Emscripten modules get a MEMFS bridge while WASI modules route syscalls directly through the kernel VFS. Both support asyncified I/O.
Registry
HTTP catalog with semver resolution. pkg update fetches
the catalog, pkg install resolves constraints and
evaluates into the running image.
Filesystem
Everything is a file. memoryFS provides the base in-memory tree. overlayFS adds copy-on-write layering with whiteout support. srvFS acts as the registry where named fileservers are posted and discovered. Union mounts let multiple servers overlay a single path with configurable bind ordering.
Namespaces are per-process and snapshot-on-fork, so child process mount
mutations remain invisible to the parent. The mount table is a
Map<string, Fileserver[]> resolved by the kernel on
every open/stat/read call.
Shell
POSIX-inspired interpreter with pipelines, redirections, subshells, and
control flow. Resolves bins from PATH, supports shebang
dispatch with a recursion limit, and propagates environment variables
through the process tree. Builtins like cd,
export, and set run in-process to mutate
shell state directly.
The parser emits an AST that the interpreter walks asynchronously,
yielding to the event loop on every pipeline boundary so the host stays
responsive. Tracing via set -x and the
TRACE environment variable.
Harness
coming soonStructured execution environment for LLM agents. Exposes a virtual fileserver (agentFS) with typed NDJSON output streams, modal TTY support, and field files for task state management. Tool calls map cleanly to filesystem operations.
Planned capabilities include session checkpointing, multi-agent coordination via shared namespaces, and a declarative task graph. Model-agnostic—any OpenAI-compatible endpoint works out of the box.
Container
Process-level isolation by combining overlay filesystems with
per-process namespaces. Each container boots its own init system, mounts
a layered image, and exposes a private /dev and
/proc. The host kernel manages the process table while the
container sees only its own subtree.
The builder API—Unix().use(ext).build()—composes
extensions into an immutable image that boots deterministically. Overlay
layers stack with copy-on-write semantics and whiteout files.
Runtime / CLI
Bridges Node.js and browser environments behind a single
PlatformCapabilities interface. Asset loading, ESM
evaluation, fetch, and WASM compilation are all injected through
platform factories—nodeRuntime() and
browserRuntime()—so packages remain isomorphic
without runtime checks.
The CLI boots a full system image in Node.js with readline-backed TTY, package manager, and init supervision. Same extension model as the browser runtime.
Build Tools
Compiles native code into WASM modules for the fishbowl runtime. Each toolchain targets a different source ecosystem but converges on the same package format—a .wasm binary plus a thin JS entry point.
Rust WASI
Compile to wasm32-wasip1 via cargo, post-process with
wasm-opt --asyncify. Syscalls route through the kernel
VFS directly—no intermediate MEMFS copy.
Emscripten
C/C++ through Emscripten with asyncify flags. Glue JS transformed at registry build time. MEMFS bridged via sync-before/sync-after hooks around execution.
Asyncify
Binaryen instruments WASM modules for async host imports. Unwind
saves stack, rewind replays. Blocking ops like
fd_read await JS promises transparently.