[buremba]

Neat! I wasn’t aware that Docker has an embedded microVM option.

I use Kata Containers on Kubernetes (Firecrackers) and restrict network access with a proxy that supports you to block/allow domain access. Also swap secrets at runtime so agents don’t see any secrets (similar to Deno sandboxes)

If anybody is interested in running agents ok K8S, here is my shameless plug: https://github.com/lobu-ai/lobu

[debarshri]

Kata containers are the right way to go about doing sandboxing on K8s. It is very underappreciated and, timing-wise, very good. With ec2 supporting nested virtualization, my guess is there is going to be wide adoption.

[FourSigma]

I am pretty sure Apple containers on MacOS Tahoe are Kata containers

[TheTaytay]

Woah, that looks great. I’ve been looking for something like this. Neither thr readme or the security doc go into detail on the credential handling in the gateway. Is it using tokens to represent the secrets, or is the client just trusting that the connection will be authenticated? I’m trying to figure out how similar this is to something like Fly’s tokenizer proxy.

[buremba]

I’m working on the documentation right now but I had to build 3 prototypes to get here. :)

After seeing Deno and Fly, I rewrote the proxy being inspired by them. I integrates nicely with existing MCP proxy so agent doesn’t see any MCP secrets either.

[bavell]

I'm still not that interested in setting up openclaw, but this implementation actually looks/sounds pretty good.

Thanks for sharing!