cd /news/ai-agents/show-hn-takovm-open-source-sandboxin… · home topics ai-agents article
[ARTICLE · art-45681] src=github.com ↗ pub= topic=ai-agents verified=true sentiment=↑ positive

Show HN: TakoVM – open-source sandboxing for your agent's code

Tako Research released TakoVM, an open-source sandboxing tool for AI agent code execution that provides Docker isolation, job queues, execution history, and retry logic out of the box. The tool aims to simplify secure code execution for enterprise teams deploying AI agents by bundling infrastructure components that standalone sandbox solutions lack.

read3 min views1 publishedJun 30, 2026
Show HN: TakoVM – open-source sandboxing for your agent's code
Image: source

File system and python execution for your agents. Job queues and Docker isolation built-in. Used by teams deploying in enterprise.

English | 日本語

A secure file system for your agents to execute code. Every job runs in its own isolated Docker container, with an ephemeral workspace, optional gVisor sandboxing, job queues, retries, and execution history included.

Where this is headed:durable, per-agent workspaces that persist and rehydrate across runs, a serverless filesystem for agents. Today each container is single-use; persistent workspaces are on the roadmap. gVisor remains the sole isolation boundary.

Documentation ·

·

Quick Start

API Reference

pip install "tako-vm[server]"
tako-vm setup                   # pull the executor Docker image
tako-vm server                  # start server (auto-starts PostgreSQL via Docker)
curl -X POST http://localhost:8000/execute \
  -H "Content-Type: application/json" \
  -d '{"code": "print(1 + 1)"}'

Sandbox solutions like e2b, daytona and microsandbox give you isolated code execution, but that's it. You still need to build:

You build With sandbox-only With Tako VM
Job queue Redis + Celery/Bull Built-in
Execution history Postgres + schema PostgreSQL included
Retry logic Custom code Automatic
Idempotency Deduplication logic idempotency_key
Replay/debugging Custom tooling Rerun/fork API

Tako VM is the complete package:

Job queue + workers- Async execution with worker pool, no Redis/Celery setup** Execution history**- Every job persisted with stdout, stderr, timing, artifacts** Replay to debug**- Rerun past jobs with exact same code and inputs** Docker isolation**- Each job in its own container with seccomp filtering** Network isolation**- No network by default, optional allowlist per job type** Self-hosted**- Your machine, offline-capable, zero per-execution cost

tako-vm setup                     # Pull executor image and verify Docker
tako-vm server                    # Start the API server
tako-vm server --port 9000        # Custom port
tako-vm dev up                    # Start local PostgreSQL for development
tako-vm dev up --with-server      # Start PostgreSQL + API server
tako-vm dev status                # Check local PostgreSQL status
tako-vm dev down                  # Stop local PostgreSQL
tako-vm config                    # Show current configuration
tako-vm config --json             # Output as JSON
tako-vm validate                  # Validate current config
tako-vm validate my.yaml          # Validate specific file
tako-vm status                    # Check server health
tako-vm version                   # Show version
tako-vm --config my.yaml server   # Use specific config file
Topic Link
Installation

docs/getting-started/quickstart.mddocs/getting-started/configuration.mddocs/api/rest.mddocs/api/sdk.mddocs/guide/environments.mddocs/guide/filesystem-and-caches.mddocs/deployment/security.mddocs/deployment/how-to-deploy.mdtako_vm.yaml.exampleTako VM runs untrusted, often AI-generated, code, so isolation is the core of the project. It uses layered defenses: gVisor (userspace kernel), per-job ephemeral Docker containers, a default-deny seccomp profile, network isolation (--network=none

by default), capability dropping, non-root execution, and enforced resource and input limits.

For untrusted workloads in production, set security_mode: strict

with container_runtime: runsc

. The default permissive

mode falls back to standard Docker (runc

) if gVisor is unavailable, which removes the userspace-kernel boundary.

See SECURITY.md for the threat model and hardening guidance, and docs/deployment/security.md for full details.

Found a vulnerability? Report it privately via the Security tabReport a vulnerability. Please do not open public issues for security findings.

Contributions are welcome! See CONTRIBUTING.md for dev setup, testing, and PR conventions. Good entry points are issues labeled good first issue, and

Discussionsis open for questions and ideas.

Questions, feedback, or partnership inquiries? Reach out to seiji@intencion.io.

Apache License 2.0

── more in #ai-agents 4 stories · sorted by recency
── more on @tako research 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/show-hn-takovm-open-…] indexed:0 read:3min 2026-06-30 ·