# OpenSandbox > Secure, Fast, and Extensible Sandbox runtime for AI agents. - **URL**: https://www.freshcrate.ai/projects/OpenSandbox - **Author**: alibaba - **Category**: Security - **Latest version**: `docker/egress/v1.0.13` (2026-06-05) - **License**: Apache-2.0 - **Source**: https://github.com/alibaba/OpenSandbox - **Homepage**: https://open-sandbox.ai - **Language**: Python - **GitHub**: 10,146 stars, 792 forks - **Registry**: github - **Tags**: `ai`, `ai-agent`, `ai-infra`, `kubernetes`, `python`, `sandbox` ## Description Secure, Fast, and Extensible Sandbox runtime for AI agents. ## Recent releases | Version | Date | Urgency | Changes | | --- | --- | --- | --- | | `docker/egress/v1.0.13` | 2026-06-05 | High | ## What's New ### ✨ Features - **DELETE /policy endpoint for removing egress rules** — new `DELETE /policy` handler accepts a JSON array of target strings and removes matching rules case-insensitively. Targets not found are silently ignored (idempotent). API spec and README updated. (#864) - **Supervisor + cleanup hook** — egress now runs under a dedicated single-worker supervisor (`opensandbox-supervisor`). Previously, a hard crash left stale iptables/nft rules and a zombie mitmdump ho | | `docker/execd/v1.0.18` | 2026-05-25 | High | ## What's New ### 🐛 Bug Fixes - Kill the entire process group on command cancel. Previously cancellation (client disconnect, timeout, `DELETE /command`) sent SIGKILL only to the bash group leader, so children spawned via `&` or pipelines kept running as orphans. `runCommand` and `killPid` now signal `-pid` (Setpgid group), matching `runBackgroundCommand`; `kill(-pid, 0)` is used for liveness probing. Fixes #922 (#924) - Extend mitmproxy CA wait from 30s to 300s and log the actual wait dura | | `k8s/image-committer/v0.1.0` | 2026-05-21 | High | 🎉 Initial version of image-committer | | `js/sandbox/v0.1.7` | 2026-05-15 | High | ## What's New ### ✨ Features * Added platform-aware sandbox creation for the JavaScript SDK. `Sandbox.create()` now accepts a `platform` constraint so callers can request runtime OS/architecture explicitly, while existing image-based creation remains compatible by default. This is useful for deployments that schedule across mixed Docker/Kubernetes platforms. https://github.com/alibaba/OpenSandbox/pull/645 * Added richer storage and Windows sandbox creation options. The JS models now include | | `python/sandbox/v0.1.8` | 2026-05-08 | High | ## What's New ### ✨ Features * Add first-class Python sandbox pool support for both async and sync clients. This release includes single-node in-memory pools, optional Redis-backed distributed pool stores via `opensandbox[pool-redis]`, lifecycle snapshots, resize/reconcile behavior, stale-idle cleanup, and documentation for operating distributed pools. Redis support is exposed from `opensandbox.pool_redis` so the base SDK import path does not require Redis dependencies. by @ninan-nn in https:/ | | `docker/ingress/v1.0.7` | 2026-05-06 | High | ## What's New ### ✨ Features - **Multi-namespace support**: Ingress watches sandbox CRs across all namespaces instead of a single one. `--namespace` flag deprecated. Ambiguous sandbox IDs across namespaces are rejected. (#699) - **Secure access routing (OSEP-0011)**: Added `--secure-access-keys` flag for signed URL verification. Sandboxes with `opensandbox.io/secure-access` require valid signatures; sandboxes without it continue to work with unsigned routes. (#761) - **Log rotation**: Fi | | `docker/egress/v1.0.10` | 2026-04-29 | High | ## What's New ### ✨ Features - Log rotation via lumberjack for file-based log outputs. Auto-enabled with defaults (100 MB max size, 30-day retention, 10 backups) when log path is a file. stdout/stderr unaffected. (#791) ### 🐛 Bug Fixes - Fix mitmproxy OOM kill by streaming large response bodies (>1 MB) to disk instead of buffering them in memory. Adds automatic mitmdump restart on unexpected exit, so transient failures no longer take down the egress proxy. (#819) - Address CodeQL stati | | `docker/egress/v1.0.9` | 2026-04-26 | High | ## What's New ### ✨ Features - precompile domain rule index for fast Evaluate while preserving first-match semantics (#722) - refactor egress's system CPU and memory collector by gopsutil (#697) ### 🐛 Bug Fixes - check uid/gid fit in int before ParseUint cast (#756) ### 📦 Misc - mitmproxy docs and benchmark update (#753) ## 👥 Contributors Thanks to these contributors ❤️ - @Pangjiping --- - Docker Hub: opensandbox/egress:v1.0.9 - Aliyun Registry: sandbox-registry.cn- | | `docker/execd/v1.0.13` | 2026-04-21 | High | ## What's New ### ✨ Features - basic runtime OTEL metrics for execd (#697) - pre-build `execd.exe` and `install.bat` to execd release image for windows distribution (#712) ### 🐛 Bug Fixes - fix permission error when sync mitmproxy certs (#734) - enlarge mitmproxy certs wait time to 30s (#762) ## 👥 Contributors Thanks to these contributors ❤️ - @Pangjiping --- - Docker Hub: opensandbox/execd:v1.0.13 - Aliyun Registry: sandbox-registry.cn-zhangjiakou.cr.aliyuncs.com/opens | | `server/v0.1.11` | 2026-04-19 | High | ## What's New ### ✨ Features - auto-create PVC/Docker volumes on sandbox creation (#661) ### 🐛 Bug Fixes - fix incorrect metadata error message (#703) - use `[log].level` instead of `[server].log_level` (#737) - relax ingress gateway address validation for URI route mode (#740) ### 📦 Misc - simply example configuration (#741) - refactor large file kubernetes_service.py (#694) - add Dockerfile.dockerignore to reduce build context (#718) - chore(deps-dev): bump pytest from 9.0.1 | ## Dependency audit - **Score**: 100/100 - **Total deps**: 0 - **Resolved**: 0 - **Unresolved**: 0 - **License conflicts**: 0 - **Warnings**: 0 - **Scanned**: 2026-05-04 ## Citation - HTML: https://www.freshcrate.ai/projects/OpenSandbox - Markdown: https://www.freshcrate.ai/projects/OpenSandbox.md - Dependencies JSON: https://www.freshcrate.ai/api/projects/OpenSandbox/deps _Generated by freshcrate.ai. Indexes github releases for AI-agent ecosystem packages._