Running AI coding agents safely is an infrastructure problem most teams haven't solved yet. Bhatti, a new open-source project from developer Sahil Shubham, orchestrates Firecracker microVMs built for agent isolation, similar to how Google's Scion describes itself as a 'hypervisor for agents'. Each sandbox gets its own Linux kernel, filesystem, and process space. The performance numbers are solid: a paused VM resumes and executes a command in under 3ms, with warm resumes clocking around 462 microseconds. Even on a Raspberry Pi 5, the p50 execution time sits at 1.26ms.
The architecture splits work between a host daemon (bhatti) and a guest agent (lohar) running as PID 1 inside each VM. A thermal management system automatically tiers idle sandboxes from hot to warm to cold, freeing resources without user intervention. Diff snapshots take roughly 20ms after the initial full snapshot, making state management practical for long-running agent sessions. The system also handles multi-tenancy out of the box, with per-user API keys, isolated bridge networks, rate limiting, and encrypted secrets.
E2B offers sandboxed agent environments but as a proprietary platform with usage-based pricing. Modal provides serverless containers for AI workloads but lacks kernel-level isolation. Fly.io uses Firecracker for general-purpose computing, not agent-specific workflows. OpenAI acquired Cirrus Labs to secure sandboxing tech for safely running AI-generated code in isolated environments.
The project ships as a single binary (Apache 2.0 licensed) that works as both CLI and server, downloading its own kernel and Ubuntu 24.04 rootfs during setup. Preview URLs with automatic wake-on-request and session-aware execution that survives disconnects suggest Shubham built this for real agent work, not just as a demo. The trade-off? You need a Linux machine with KVM access and someone willing to run their own infrastructure.