Arbor gives AI agent teams microVM-isolated workspaces they can snapshot mid-task, fork into parallel branches, and restore safely — all inside your own VPC. The only sandbox where branching is a first-class primitive.
// Set up a workspace, snapshot before the risky migration, // then fork three parallel agents to try different approaches. let workspace = Arbor::new().await?; workspace.run("git clone git@github.com:acme/monorepo.git .").await?; let checkpoint = workspace.snapshot("before-migration").await?; // Three isolated worlds. None can observe or interfere with each other. let postgres = checkpoint.fork("postgres-migration").await?; let redis = checkpoint.fork("redis-approach").await?; let skip = checkpoint.fork("skip-migration").await?; // Each fork: quarantined → identity resealed → credentials re-issued → READY let results = join_all([ postgres.run("cargo test --test integration"), redis.run("cargo test --test integration"), skip.run("cargo test --test integration"), ]).await;
Firecracker warns that restoring the same checkpoint twice gives both VMs identical PRNG seeds, token caches, and SSH state. Arbor solves this with a quarantine + reseal protocol enforced at the infrastructure level — no application coordination required.
The VM never receives your API keys. The host-side egress proxy injects credentials at the network boundary. Agents see OPENAI_API_KEY=arbor-brokered. Prompt injection, supply chain attacks, and environment leaks are structurally impossible.
Every checkpoint records its parent, forming a DAG of execution history. Fork three agents from the same pre-migration state, let them explore in parallel, and merge the winner — without any of them observing each other.
Each workspace lives in its own Linux network namespace. The only route out is through the host-side proxy. Egress is physically impossible to bypass — there's no route, not just a rule. nftables enforces the allowlist at the kernel level.
The entire control plane, runner pool, and egress proxy run inside your VPC. Code, secrets, and agent activity never leave your network. This is the deployment model — not an enterprise add-on. Docker Compose up in under five minutes.
Built on Firecracker, the same microVM technology AWS uses for Lambda. Full VM isolation — not containers — with boot times competitive with container startups. Firecracker's Jailer provides an additional seccomp/cgroup isolation layer.
// Every fork goes through quarantine + reseal before READY. // Enforced at infrastructure level. Zero app coordination needed. fork(checkpoint_id) └─ new VM boots in QUARANTINED state ├─ all egress blocked ├─ all attach tokens invalidated └─ reseal hook chain runs: 1. bump identity_epoch → new VM identity 2. rotate session tokens 3. re-sign preview URLs 4. revoke + re-issue secret grants 5. re-seed guest entropy via vsock ───────────────────────────────── state → READY
Each fork gets a new identity epoch, preventing session tokens from crossing workspace boundaries.
All attach tokens from the parent snapshot are invalidated. New tokens are issued for the forked workspace only.
Secret grants are revoked and re-issued with fresh IDs. The egress proxy registry is updated atomically.
Guest PRNG is re-seeded via vsock, eliminating the shared-entropy correctness bug Firecracker warns about.
On credential brokering: when an agent calls api.openai.com, traffic flows: agent process → VM netns (blocked by default) → host TAP device → arbor-egress-proxy → allowlist check → credential injection → upstream. The VM never receives the credential value. Even if the agent logs its environment, leaks it to a supply-chain compromise, or is manipulated by prompt injection — the real key was never there.
| Feature | Arbor | E2B | Docker Sandboxes | Modal | Daytona |
|---|---|---|---|---|---|
| VM-level isolation | ✓ Firecracker | ✓ Firecracker | — | — container | — mixed |
| Fork from checkpoint | ✓ first-class API | ✗ | ✗ | ✗ | ✗ |
| Branch-safe restore | ✓ unique | ✗ | ✗ | ✗ | ✗ |
| Credential brokering | ✓ host-side proxy | ✗ | ~ partial | ✗ | ✗ |
| Default-deny egress | ✓ | ~ partial | ✓ | ✗ | ✗ |
| Self-host / VPC-first | ✓ first-class | ✗ SaaS only | ✗ SaaS only | ✗ SaaS only | ✓ |
| Sub-150ms boot | ✓ | ✓ | ✗ | ✓ | ✗ |
| Open source | ✓ MIT / Rust | ~ SDK only | ✗ | ✗ | ✓ |
git clone github.com/Billy1900/Arbor
cd Arbor
cp deploy/.env.example deploy/.env
make docker-up
# API: localhost:8080
# MinIO: localhost:9001
make register-dev-runner
# Registers this machine
# as fc-x86_64-v1 class
make demo-fork
# Creates workspace,
# snapshots, forks 3 branches