Our technology is much more general that WebContainers, and it's based on a Linux-compatible WebAssembly kernel. It also supports real command line tools, including git, bash and the complete set of busybox utilities.
The version of Claude Code you see running is completely unmodified.
The architecture is a fairly straightforward WebAssembly-native monolithic kernel. Most of the complexities come from making things work well within the browser constraints for real world, large apps.
We have quite a bit of experience on the topic however, these are previous projects of ours:
WebVM (https://webvm.io): x86 Debian shell running client-side in the browser via x86 -> WebAssembly JIT compilation
On linux I devised this strategy for letting llm webuis or coding agent to securely run programs by burying their environment under multiple layers of locally arranged sandboxing.
Basically: run as another user -> run inside firejail sandbox -> run inside a stripped down alpine linux vm with smolvm.
P.S. directories can be easily shared between the sandboxed guest and the host os
P.P.S. to stay a bit more on the safe side I also changed the name of the package manager for the guest os to something else so that when a coding agent would try to autonomously install external packages it will fail. I've then instructed it to (politely) ask for whatever it needs to be eventually manually installed by me
Literally working on a product that does this, hah :) I really do think that AI + automation + carefully-designed guardrails will unleash a deluge of productivity for normies, and we've barely scratched the surface.
The state of AI apps is absolutely trash right now, it’s embarrassing that these companies that raised millions are releasing the shittiest slop around without any product ethos. Obviously we're seeing what sticks, but come on guys.
I'm using Brett Cannon's `https://github.com/brettcannon/cpython-wasi-build` running inside a WASI rust container with a carefully-designed host SDK (e.g. sandboxed Chromium access, diff, sandboxed filesystem, pandas subset, PDF reading, etc.). Essentially the AI sees a goal, a plan, and essentially treats the "task space" as a WASI-powered Python notebook.
Mainly focused on the user experience, and I think that local LLMs (secure/private) + standard Python + host functions + (some external stuff like screen reading & quarantined web access) is more than enough for 90% of actionable tasks.
P.S. I was casually searching for "sandboxed Python" for an experiment I'm working on, and reached this article that was published "today". Very nice coincidence! Thanks.
I've tried it out a bit - it does look solid and it has a good team behind it.
It's a subset of Python though (much more so than MicroPython), which is fine for LLMs since they can easily work around any limitations but does mean you can't use a lot of existing Python code with it. I hope they implement classes soon!
I'm also a little bit nervous about the safety. It's a fresh implementation in Rust, which means plenty of possibilities for edge case security bugs. The thing I like about WebAssembly is that there's a robust, well tested sandbox already - better for defense in depth.
I certainly wouldn't bet against Monty though! It may well prove itself to be a great solution for this.
Hey, I'm Dylan. Creator of Edge Python, currently I'm working with burn.dev framework and Web GPU to embed a ML framework bia Edge Python directly in the browser suing the GPU as you said!
I'd be happy if you could try it when it's finished :).
The thing that's missing is Windows support and the ability to get everything I need for it in a Python program by "pip install X" for something that includes relevant binaries as well as Python code.
My use-cases for server-side WASM Python are described here: https://simonwillison.net/2026/Jun/6/micropython-in-a-sandbo... - basically I want to offer end-user customization features that run custom code without buggy or malicious code crashing my app or leaking their data.
Running arbitrary untrusted code safely is pretty easy nowadays, so long as the code is written in Javascript and you want to run it in a browser. It's only a little harder if the code is written in another language but targets WASM and browser APIs, or if you want to run your WASM inside of NodeJS, and there's even good support for running Python in a browser or Node.
Once you get away from running in a JS environment or away from code that's written with the intention of running in a WASM sandbox, if you don't want to have to modify the code for your environment then you're going to start having problems. This looks like a good step for anyone wanting to run arbitrary Python outside of a browser environment.
Fair -- but I was more meaning that when I browse an arbitrary untrusted website I almost always allow the site owner to run arbitrary untrusted code on my machine. They might not send me any JS, but if they do then my browser will happily execute it.
This stuff always gets me anxious for no reason because of the underlying tokenizer and prediction stochastic parrot that runs stuff, makes me wonder if I should rerun the prompt correcting the typo or accept the token tax on some interpreter that spent translating the intention.
https://labs.leaningtech.com/blog/browserpod-deep-dive
Node.js is now fully supported, Python is in preview and Rust is coming soon.
For a glimpse of the possibilities, check our Claude Code running fully in the browser: https://browsercode.io/claude