No description
Find a file
Cristina Poncela Cubeiro 29fa74d802
feat: single global secret (#123)
This PR adds the proposal in #122. 

It adds a flag `'shared' | 'unique'`, with default `shared`. This makes
HTTP-hook secret placeholders now use marker mode: guest env vars get
`<random-marker>.<normalized_secret_name>` instead of per-secret random
placeholders.

The host replacement path was updated to recognize these structured
references in headers, basic auth, and optional query params, resolve
them back to the configured secret by identifier, and then apply the
existing allowlist/update/delete behavior.

Unique `GONDOLIN_SECRET_<random>` placeholders remain available via
`secretPlaceholderMode: "unique"`, and docs/tests were updated
accordingly.
2026-07-06 12:21:13 +02:00
.github ci: make krun runner publish release-blocking 2026-05-08 08:08:24 +02:00
.husky
docs feat: single global secret (#123) 2026-07-06 12:21:13 +02:00
guest Replace deprecated uv TLS env var 2026-05-07 15:05:00 +02:00
host feat: single global secret (#123) 2026-07-06 12:21:13 +02:00
images feat(rootfs): support runtime rootfs sizing (#107) 2026-05-11 10:24:55 +02:00
packages release: v0.12.0 2026-05-19 13:08:09 +02:00
scripts Replace setup-zig action with own install script (#102) 2026-05-07 11:55:09 +02:00
.gitignore fix(guest): drain TCP socket before closing on POLL.HUP in ingress forwarder (#87) 2026-04-21 09:57:37 +02:00
.prettierignore ref: Reformat with prettier 2026-02-15 14:16:59 +01:00
AGENTS.md Use sandbox helpers for build cmd, removing zig dep (#99) 2026-05-07 10:18:24 +02:00
builtin-image-registry.json chore(images): update registry for alpine-base:0.2.0 2026-04-21 10:14:19 +00:00
builtin-sandbox-helper-registry.json chore(helpers): update registry for gondolin:0.12.0 2026-05-19 11:10:53 +00:00
builtin-trufflehog-registry.json feat: trufflehog for host suggestions 2026-06-07 10:48:07 +02:00
CHANGELOG.md release: v0.12.0 2026-05-19 13:08:09 +02:00
LICENSE
Makefile chore: fix krun-runner build 2026-04-02 16:18:44 +02:00
package.json Experimental libkrun support (#70) 2026-03-06 18:58:19 +01:00
pnpm-lock.yaml release: v0.12.0 2026-05-19 13:08:09 +02:00
pnpm-workspace.yaml Experimental libkrun support (#70) 2026-03-06 18:58:19 +01:00
README.md feat(rootfs): support runtime rootfs sizing (#107) 2026-05-11 10:24:55 +02:00
zensical.toml docs(sdk): shorten nav labels and page titles 2026-02-16 22:58:39 +01:00

Gondolin Agent Sandbox

Local Linux micro-VMs with programmable network and filesystem control.

AI agents increasingly run generated code without human review. That code often needs network access and credentials, which creates exfiltration risk.

Gondolin runs that code inside a fast local Linux micro-VM (QEMU by default, with an optional experimental krun backend) while keeping network and filesystem access under host-side policy control. That policy layer can be customized via JavaScript.

Quick Example

import { VM, createHttpHooks } from "@earendil-works/gondolin";

const { httpHooks, env } = createHttpHooks({
  allowedHosts: ["api.github.com"],
  secrets: {
    GITHUB_TOKEN: {
      hosts: ["api.github.com"],
      value: process.env.GITHUB_TOKEN,
    },
  },
});

const vm = await VM.create({ httpHooks, env });

// String form runs in /bin/sh -lc "..."
const result = await vm.exec(`
  curl -sS -f \
    -H "Accept: application/vnd.github+json" \
    -H "Authorization: Bearer $GITHUB_TOKEN" \
    https://api.github.com/user
`);

console.log("exitCode:", result.exitCode);
console.log("stdout:\n", result.stdout);
console.log("stderr:\n", result.stderr);

await vm.close();

The guest only sees a placeholder token. The real secret is injected by the host only for allowed destinations (including Authorization: Basic ... flows).

CLI Quick Start

npx @earendil-works/gondolin bash

Useful session commands:

# List running sessions
npx @earendil-works/gondolin list

# Attach to an existing session
npx @earendil-works/gondolin attach <session-id>

# Snapshot a running session (stops it)
npx @earendil-works/gondolin snapshot <session-id>

# Resume from snapshot id/path
npx @earendil-works/gondolin bash --resume <snapshot-id-or-path>

Guest assets (kernel/initramfs/rootfs plus optional krun boot artifacts, ~200MB+) are resolved automatically on first use via builtin-image-registry.json and cached locally. When no image is specified, Gondolin uses GONDOLIN_DEFAULT_IMAGE (default: alpine-base:latest).

Requirements:

macOS Linux (Debian/Ubuntu)
brew install qemu node sudo apt install qemu-system-arm nodejs npm

Optional experimental libkrun backend setup:

make krun-runner

Published installs of @earendil-works/gondolin also include platform-specific optional runner packages for supported targets.

This stages libkrun under .cache/ (no global install) and builds the local runner helper at host/krun-runner/zig-out/bin/gondolin-krun-runner. On macOS, the build ad-hoc signs the runner with the com.apple.security.hypervisor entitlement so Hypervisor.framework access is allowed. When present, Gondolin auto-detects this runner for --vmm krun.

Linux prerequisites for make krun-runner (Ubuntu/Debian):

sudo apt install \
  build-essential curl git make pkg-config clang lld xz-utils \
  libclang-dev llvm-dev libcap-ng-dev

# libkrun requires a modern Rust toolchain (edition2024)
curl https://sh.rustup.rs -sSf | sh -s -- -y --profile minimal
. "$HOME/.cargo/env"

# install Zig 0.16.0 for your Linux architecture

When vmm=krun is selected, Gondolin requires krun boot assets from the selected image manifest (assets.krunKernel and optional assets.krunInitrd). For custom kernels/initrds, provide an explicit sandbox.imagePath asset object.

Linux and macOS are supported. ARM64 is the most tested runtime path today. Linux x86_64 make krun-runner is covered by CI smoke builds.

Feature Highlights

  • Local disposable micro-VMs for agent turns/tasks
  • Programmable HTTP/TLS egress policy (allowlists + request/response hooks)
  • Secret injection without guest exposure via placeholders
  • Programmable VFS mounts that allow you to write custom file system behavior in JavaScript.
  • Ingress gateway to expose guest HTTP services on host (--listen, vm.enableIngress())
  • Attaching allows you to attach a shell to an already running VM
  • SSH support
    • host -> guest access (vm.enableSsh())
    • optional guest -> upstream allowlisted SSH egress (proxied, exec-oriented)
  • Disk checkpoints (snapshots) with resume support
  • Custom image builds (Alpine-based build pipeline, optional OCI rootfs source)
  • Configurable DNS behavior (synthetic, trusted, open), rootfs modes (readonly, memory, cow), and runtime rootfs sizing

Documentation

Repository Guides

  • Host package: installation, CLI usage, and SDK examples
  • Guest sandbox: Zig build and image/initramfs pipeline
  • images/: canonical image release build configs (used by image-release workflow)
  • Examples: end-to-end integration examples

Pi Extension

There is a Pi + Gondolin extension that runs pi tools inside a micro-VM and mounts your project at /workspace.

AI Use Disclaimer

This codebase has been built with the support of coding agents.