VELA is a seatbelt for agent code
VELA is a new open-source guard for the scariest thing agents do: write code and then run it. The insight behind it is simple. As agents get more autonomous, the risk stops being can the model write code and becomes where is that code actually executing. Running model-generated code straight on your host is a quiet disaster waiting to happen, and most people are doing exactly that.
VELA, built on a runtime called Aegis, drops a policy-driven layer between the agent and your infrastructure. It runs untrusted code inside Firecracker micro-VMs, uses HMAC capability tokens, enforces fine-grained filesystem and network restrictions, returns structured results, and keeps a full JSONL audit trail of everything that happened. It's MIT licensed and wired up for LangChain and LlamaIndex out of the box.
The reason this matters is that the agent sandbox is quietly becoming its own category. In the last two weeks alone we've seen Apple's Container framework, Claude Desktop shipping a sandbox VM, Microsoft's kernel-level MXC, and SolonGate intercepting tool-call payloads. VELA is the open, self-hostable entry in that lineup, aimed squarely at developers rather than platforms.
My read: code execution is the highest-leverage place to put a safety boundary, because that's where an agent goes from talking to doing actual damage. Identity and prompt-injection filters matter, but the moment the agent runs a command, the micro-VM is the thing standing between a bad instruction and your production box. VELA being free and open removes the last excuse not to have one.
← Back to all articles
VELA, built on a runtime called Aegis, drops a policy-driven layer between the agent and your infrastructure. It runs untrusted code inside Firecracker micro-VMs, uses HMAC capability tokens, enforces fine-grained filesystem and network restrictions, returns structured results, and keeps a full JSONL audit trail of everything that happened. It's MIT licensed and wired up for LangChain and LlamaIndex out of the box.
The reason this matters is that the agent sandbox is quietly becoming its own category. In the last two weeks alone we've seen Apple's Container framework, Claude Desktop shipping a sandbox VM, Microsoft's kernel-level MXC, and SolonGate intercepting tool-call payloads. VELA is the open, self-hostable entry in that lineup, aimed squarely at developers rather than platforms.
My read: code execution is the highest-leverage place to put a safety boundary, because that's where an agent goes from talking to doing actual damage. Identity and prompt-injection filters matter, but the moment the agent runs a command, the micro-VM is the thing standing between a bad instruction and your production box. VELA being free and open removes the last excuse not to have one.
Comments