Hyperlight Sandbox
Hyperlight Sandbox is a multi-backend sandboxing framework for running untrusted code with controlled host capabilities. It provides a unified API across multiple isolation backends, including Wasm Component and HyperlightJS, with a common capability model and SDKs for Python, .NET, and Rust.
Key features include:
- Secure code execution — Run untrusted code in hardware-isolated sandboxes (KVM, MSHV, Hyper-V)
- Host tool dispatch — Register callables as tools; guest code invokes them by name with schema-validated arguments
- Capability-based file access — Read-only
/inputdirectory, writable/outputdirectory, strict path isolation - Snapshot / restore — Capture and rewind sandbox runtime state for reuse
- Network allow listing — Network traffic is off by default; allow specific domains and HTTP verbs
- SDKs for multiple languages — Python, .NET, and Rust SDKs
from hyperlight_sandbox import Sandbox
sandbox = Sandbox(backend="wasm", module="python_guest.path")sandbox.register_tool("add", lambda a=0, b=0: a + b)sandbox.allow_domain("https://httpbin.org")
result = sandbox.run("""total = call_tool('add', a=3, b=4)resp = http_get('https://httpbin.org/get')print(f"3 + 4 = {total}, HTTP status: {resp['status']}")""")print(result.stdout)