Launching today
VELA
Securely execute AI-generated & untrusted code
37 followers
Securely execute AI-generated & untrusted code
37 followers
Autonomous AI agents are writing and executing code, but running it on your host server is a massive security risk. Vela (powered by the Aegis runtime) solves this. It’s a policy-driven execution guard that uses Firecracker micro-VMs and HMAC capability tokens to safely run untrusted code. Get structured results, fine-grained filesystem/network restrictions, and a full JSONL audit trail. Open-source, MIT licensed, and built for LangChain/LlamaIndex.
Lineage Lens
The interesting problem here isn't running untrusted code, it's what the sandbox actually contains. A lot of solutions stop at process isolation but still share a network namespace, which means a malicious payload can exfiltrate data or reach internal services even if it can't touch the host filesystem. Curious whether VELA does full network isolation per execution, and how you handle cases where the code legitimately needs outbound access, like an AI-generated script that has to hit an external API to do anything useful.
Lineage Lens
@fberrez1 Thanks Florent — that's exactly the distinction we wanted to address.
You're right that process isolation alone isn't enough. In VELA, isolation is enforced at the micro-VM boundary, and network access is treated as a first-class policy decision rather than an implicit default. A sandbox can be launched with networking completely disabled, which is the safest mode for many AI-generated workloads.
For cases where outbound access is legitimately required (calling APIs, downloading data, etc.), developers can grant narrowly scoped capabilities through policy and capability tokens instead of giving unrestricted access. The goal is to move from a binary "sandboxed/not sandboxed" model to a least-privilege execution model where filesystem, network, runtime limits, and auditability are all controlled per execution.
We're still exploring richer network policies and would love to hear what controls you'd consider essential for production agent workloads. Thanks for the thoughtful question! 🙌
The Firecracker micro-VM approach makes sense here, the ~150ms cold start seems totally workable for tool call use cases. I run a lot of AI-generated code via Claude Code and this is exactly the kind of safety layer I'd want underneath it. Does it handle MCP tool call contexts or is it mainly focused on raw script execution right now? Congrats on shipping!
Lineage Lens
@i_sanjay_gautam
Great question — Vela currently focuses on raw script execution, but MCP tool-call support is something we’re actively thinking about. The sandbox and policy layer are built to be flexible enough for both. Appreciate the kind words!
Congrats on the launch! Host-level agent code execution is a risk people underestimate, so great to see a policy-driven guard here. Will give it a spin on our end.
Lineage Lens
@andreas_rubin_schwarz Thank you, Andreas!
That was exactly our motivation. As agents become more autonomous, the risk shifts from "can the model write code?" to "where is that code being executed?" We wanted a security layer that developers could place between AI-generated actions and their infrastructure without sacrificing speed or developer experience.
Really appreciate the support, and we'd love to hear your feedback once you've had a chance to try it.