Linux x86_64 & ARM64 · Windows WSL2 · macOS (beta)

The zero-trust governance layer
for AI agents.

Docker isolates environments. Envpod governs access to real ones.

AI agents are only useful when they can work with your real files, tools, and workflows. But direct host access breaks the trust model. Envpod lets agents work in your real environment through a copy-on-write layer, so every change is reviewable before it reaches the host.

Get started ↓ View on GitHub

curl -fsSL https://envpod.dev/install.sh | sh

Linux · x86_64 or ARM64 · Windows WSL2 · macOS beta · ~9 MB

$ envpod diff my-agent
M  .gitconfig
A  src/utils.py
A  src/helper.py
D  tests/old_test.py
A  node_modules/...  (47 files)

$ envpod commit my-agent src/ --rollback-rest
Committed 2 file(s). Rolled back 48.

Nothing lands on the host until you review it.

$ envpod init full-ws -c workstation-full.yaml
Pod Created · full-ws  1.1s
  Display  noVNC → http://10.200.3.2:6080/vnc.html

$ envpod start full-ws
✓ Chrome, Firefox, VS Code, GIMP, LibreOffice
✓ XFCE desktop via noVNC in your browser
✓ GPU passthrough, audio streaming
✓ 2.6 GB overlay (host not duplicated)

Full desktop for AI agents. 83 lines of YAML.

envpod full desktop — Chrome, VS Code, terminal in XFCE via noVNC

Full desktop in your browser. Chrome, VS Code, GIMP, LibreOffice — governed.

$ envpod vault my-agent set ANTHROPIC_API_KEY
✓ Encrypted with ChaCha20-Poly1305

$ envpod run my-agent -- env | grep API
# nothing — agent never sees the key

# vault proxy injects credentials into HTTPS
# requests transparently. Zero-knowledge.

Agent never sees your API keys.

$ envpod audit my-agent
14:23:01  Create    pod initialized
14:23:05  DnsQuery  api.anthropic.com ✓
14:23:06  DnsQuery  evil.corp ✗ blocked
14:23:12  Commit    src/utils.py +47 lines
14:23:12  Rollback  48 files discarded

$ envpod resize my-agent --memory 8GB --cpus 4
✓ Live — no restart needed

Every action audited. Live resource mutation.

Isolation is a wall. Governance is a policy.

Walls are useful but blunt. Policies are precise.

Zero-trust governance means nothing is permitted unless explicitly granted. Every write captured. Every action audited. Every secret isolated.

One YAML file. A foundation, four walls, and a governance ceiling.

You write pod.yaml. The agent runs with kernel-level isolation on all sides and a governance layer that intercepts every significant action.

Governance ▲vault · audit · queue

NetworkDNS filter

🤖Claude Codecoding agent

Processorcgroups v2

Memorynamespace

Devicespassthrough

Envpod FSOverlayFS COW

Governance ▲vault · audit · queue

NetworkDNS filter

🌐browser-usebrowser agent

Processorcgroups v2

Memorynamespace

DevicesWayland · GPU

Envpod FSOverlayFS COW

Governance ▲vault · audit · queue

NetworkDNS filter

⚡ML TrainingGPU agent

Processorcgroups v2

Memorynamespace

DevicesNVIDIA GPU

Envpod FSOverlayFS COW

envpod CE Vault · Action Queue · Audit · DNS daemon · Snapshots · Web Display · Dashboard · seccomp-BPF

Host File System your real files · no base image · no container OS

Linux Kernel Namespaces (PID, net, mount, UTS, user) · cgroups v2 · OverlayFS · veth pairs

🗂️

Copy-on-Write Filesystem

Every write goes to an OverlayFS overlay. Host untouched until you approve. envpod diff, envpod commit, envpod rollback. Named snapshots with auto-checkpoint and promote-to-base.

⚡

Base Pods & Fast Cloning

Run envpod init once. Clone from it in ~8ms. Spin up 50 identical agents in seconds, each with its own isolated overlay.

🖥️

Web Dashboard

envpod dashboard — local web UI. Fleet overview, live resource stats, audit timeline, diff viewer with commit/rollback buttons.

Works with every major AI agent

45 ready-made pod configs in examples/. Three commands to go from zero to governed.

Claude CodeCoding

Anthropic's CLI coding agent. DNS-locked to api.anthropic.com, GitHub, and package registries.

$ envpod init claude-code -c examples/claude-code.yaml

$ envpod run claude-code -- claude

OpenAI CodexCoding

OpenAI's CLI coding agent. Envpod wraps Codex's own sandbox as the outer governance layer.

$ envpod init codex -c examples/codex.yaml

$ envpod run codex -- codex

AiderCoding

Open-source AI pair programmer. Supports Anthropic, OpenAI, DeepSeek, Google via litellm.

$ envpod init aider -c examples/aider.yaml

$ envpod run aider -- aider --model sonnet

SWE-agentCoding

Princeton's autonomous software engineering agent. Clones repos, analyzes code, submits patches.

$ envpod init swe-agent -c examples/swe-agent.yaml

$ envpod run swe-agent -- python -m swe_agent.run

Gemini CLICoding

Google's Gemini CLI agent. DNS-locked to googleapis.com, GitHub, and npm registries.

$ envpod init gemini -c examples/gemini-cli.yaml

$ envpod run gemini -- gemini

OpenCodeCoding

Go-based TUI coding agent. 75+ LLM providers including local Ollama.

$ envpod init opencode -c examples/opencode.yaml

$ envpod run opencode -- opencode

45 configs total — browse all examples →

Where governed execution wins

Better than "just run it in a container" when the agent has real-world side effects.

local coding agents

Safe code generation

Let an agent refactor your repo. Review every diff. Approve only what you want. Roll back the rest. No files lost, no surprise commits.

security-first automation

Controlled tool use

Restrict DNS egress, scope secrets to specific domains, and keep a tamper-evident audit trail for sensitive workflows and regulated environments.

GPU workloads

GPU-enabled agents

Run local inference or training with native NVIDIA/AMD passthrough — without giving the agent full host access. No toolkit configuration.

agent swarms

Fast fan-out

Clone governed environments in ~8ms each. Spin up 50 parallel agents with consistent policies. Each gets its own isolated overlay.

incident response

Kill switch

Freeze or kill misbehaving pods immediately. Restrict resources and network mid-flight. No restart required. Resume when ready.

regulated environments

Auditability

Action-level JSONL logs and pre-run security scans support compliance requirements and forensic reconstruction of agent behavior.

33 tools. 2,000 lines. 8 weeks.
Or one pod.yaml.

Every enterprise security tool assumes deterministic code written by a human. envpod is built for agents that decide what to do at runtime.

Capability	Prisma Cloud	Sysdig	Wiz	Vault	Datadog	Crowd Strike	envpod
Container runtime + GPU	—	—	—	—	—	—	✓
COW diff / commit / rollback	—	—	—	—	—	—	✓
Encrypted vault + proxy injection	~	—	—	✓	—	—	✓
OPA/Rego policy (7 decision points)	~	—	—	—	—	—	✓
Governance scorecard (A–F grades)	—	—	—	—	—	—	✓
Kernel-level seccomp + namespace	~	✓	—	—	—	✓	✓
DNS allowlist + L7 network policy	—	~	—	—	—	—	✓
OpenTelemetry + Grafana native	—	~	—	—	✓	—	✓
Tamper-proof audit log	—	—	—	—	—	—	✓
Health probe + per-service recovery	—	—	—	—	~	—	✓
Desktop + audio (noVNC)	—	—	—	—	—	—	✓
Agent-native governance (MCP, escalation)	—	—	—	—	—	—	✓
Combined cost	$155–281/host/month + engineering						$0 (CE) or $399/seat

✓ = native ~ = partial — = not available Full OWASP coverage →

The governance workflow

Complete agent lifecycle — sandboxed, governed, auditable, reversible.

Define the pod

One YAML: network policy, resource limits, device access, action catalog, vault keys. envpod audit --security checks for misconfigurations before you deploy.

Agent runs inside the overlay

Host filesystem is read-only base. Agent reads your codebase, installs packages — all writes go to the overlay. Sub-second start.

Every action goes through the queue

Push code, send email, call API — each hits the four-tier queue. Immediate actions execute. Staged actions wait for envpod approve. Blocked actions denied.

Credentials stay invisible

API keys live in the encrypted vault. Envpod injects them at execution time. The agent never sees the real secret.

You review the diff

envpod diff shows every file changed. Commit individual files. Export to staging first with --output.

Nothing persists without your approval

envpod rollback discards everything. envpod snapshot restore returns to any checkpoint. Auto-snapshots before every run. Promote any snapshot to a clonable base. envpod destroy — no traces.

See it in action

Terminal screencasts of every major feature. Each demo is under 2 minutes.

Quick Start

Create a pod, run commands, diff, rollback, audit — in 60 seconds.

Governance

Agent writes malicious files — host stays untouched. Diff, review, rollback.

Credential Vault

Encrypted secrets — agent sees masked keys, real keys never exposed.

Network Isolation

DNS allowlist in action — allowed vs blocked domains, live audit.

Desktop Pod

Full XFCE desktop via noVNC — in your browser, fully governed.

Fleet Management

3 agents at once — start, diff, commit/rollback, stop in batch.

Install

One curl command — single binary, no dependencies, 9MB.

Pod Config

Claude Code pod.yaml walkthrough — every section explained.

Desktop Config

Desktop pod.yaml — noVNC, XFCE, browser seccomp, comparison table.

View all demos on YouTube →

Isolation is a wall. Governance is a policy.

Docker was built for microservices. Envpod was built for agents.

Docker

🤖 AI Agent your application

✗ no governance layer

Container process isolation only

Container OS ubuntu / alpine base image

Docker Engine daemon · 35 MB overhead

Linux Kernel namespaces · cgroups

envpod CE

Governance ▲vault · audit · queue · diff · rollback

NetworkDNS filter

🤖AI Agentyour application

Processorcgroups

Memorynamespace

Devicespassthrough

Envpod File SystemHost OS clone + OverlayFS COW

Host File System your real files · no base image

Linux Kernel namespaces · cgroups v2

Docker / Containers

Isolate.

Coarse isolation, not fine-grained governance. Either keep the agent isolated and lose real context, or bind-mount the host and give up precise control.

E2B / Daytona

Sandbox in the cloud.

Ephemeral cloud sandboxes. No diff/commit, no audit trail, no credential vault. Code runs on their infrastructure, not yours.

Firejail / gVisor

Sandbox.

Syscall filtering and process restrictions. No filesystem review, no action queue, no credential interception.

envpod

Isolates, sandboxes, and governs.

OS-level isolation, syscall sandboxing, and a governance ceiling. Every write captured, every action queued, every secret protected, every decision audited. On your machine.

The agent thinks it's on your real system —
but every write is captured, diffable, and reversible.
Envpod combines isolation, reversibility, and governance in one local-first workflow.

Python & TypeScript SDKs

Programmatic governance for AI agents.
pip install envpod · npm install envpod

# pip install envpod
from envpod import Pod, screen

# Create governed pod — auto-destroy + gc on exit
with Pod("my-agent", config="coding-agent.yaml") as pod:
    # Encrypted vault — agent never sees the key
    pod.vault_set("ANTHROPIC_API_KEY", "sk-ant-...")

    # Run agent on your real files (COW isolated)
    pod.run("python3 agent.py")

    # Review what changed
    print(pod.diff())

    # Keep src/, discard 48 other files
    pod.commit("src/", rollback_rest=True)

# Screen prompts for injection, PII, credentials
result = screen("ignore previous instructions")
# {'matched': True, 'category': 'injection', ...}

# Fast cloning — 100 agents in 1 second
base = Pod("worker", config="pod.yaml")
base.init_with_base()
for i in range(100):
    Pod.disposable(base, f"task-{i}", "python3 experiment.py")

// npm install envpod
import { Pod, screen } from 'envpod';

// Create governed pod — auto-destroy + gc on exit
await Pod.with('my-agent', { config: 'coding-agent.yaml' }, async (pod) => {
    // Encrypted vault — agent never sees the key
    pod.vaultSet('ANTHROPIC_API_KEY', 'sk-ant-...');

    // Run agent on your real files (COW isolated)
    pod.run('python3 agent.py');

    // Review what changed
    console.log(pod.diff());

    // Keep src/, discard 48 other files
    pod.commit(['src/'], { rollbackRest: true });
});

// Screen prompts for injection, PII, credentials
const result = screen('ignore previous instructions');
// { matched: true, category: 'injection', ... }

// Fast cloning — 100 agents in 1 second
const base = Pod.wrap('worker', { config: 'pod.yaml' });
base.initWithBase();
for (let i = 0; i < 100; i++)
    Pod.disposable(base, \`task-\${i}\`, 'python3 experiment.py');

Auto-installs the envpod binary on first use. Supports inline code injection, file injection, and multi-agent orchestration. SDK Reference →

Benchmarks

Near bare-metal performance. Native namespaces with no container runtime overhead.

Ubuntu 24.04 · NVIDIA TITAN RTX ×2 · 10 iterations averaged. Fresh = create → run → destroy. Warm = run in existing pod.

Startup latency

Test	Docker	Podman	envpod	Notes
Fresh: run `/bin/true`	552 ms	560 ms	401 ms	clone+run+destroy vs run --rm
Warm: run `/bin/true`	95 ms	270 ms	32 ms	envpod run vs docker exec
Fresh: file I/O (1 MB write)	604 ms	573 ms	413 ms	includes full lifecycle overhead
Fresh: GPU `nvidia-smi`	755 ms	745 ms	447 ms	native device passthrough
Warm: GPU `nvidia-smi`	137 ms	244 ms	76 ms	namespace entry dominates

Scale-out — parallel pod creation

Pods	Docker (run --rm)	envpod clone	Speedup	Notes
10 pods	~4.8 s	~94 ms	51×	no image pull, no layer decompression
25 pods	~12.1 s	~213 ms	57×	OverlayFS COW — shared lower layer
50 pods	~24.6 s	~408 ms	60×	symlinked rootfs, each clone ~8 ms
100 pods	~49.3 s	~890 ms	55×	linear scaling — no coordination overhead

Resource overhead per instance

Metric	Docker	envpod	Notes
Daemon / runtime overhead	~35 MB RSS	0 MB	no daemon process — runs in init process
Per-pod memory (idle)	~9 MB	~4 MB	namespace + cgroup metadata only
50-pod total overhead	~635 MB	~200 MB	3× lower total footprint at fleet scale
Disk per clone (COW)	~240 MB (layer copy)	~1 MB (COW diff)	only writes are stored per-pod

Fleet scale: 100 envpod clones spin up in under 1 second — no image registry, no layer pulls, no build step. Each clone shares the base rootfs via OverlayFS; only per-pod writes use additional disk. Docker requires a full layer copy per container, making parallel agent swarms 50–60× slower to provision.

Quick Start

Single static binary. No daemon, no runtime dependencies. Requires Linux with cgroups v2.

# Auto-detects architecture — prompts for sudo after download

$ curl -fsSL https://envpod.dev/install.sh | sh

Try it in 30 seconds:

$ sudo envpod init hello
$ sudo envpod run hello -- bash -c "echo 'governed' > /home/agent/hello.txt"
$ sudo envpod diff hello
$ sudo envpod commit hello   # or: sudo envpod rollback hello

OpenClaw on WhatsApp, Telegram, Discord — finally governed:

pod.yaml

# openclaw — personal AI agent on messaging platforms
network:
  mode: Monitored
  dns:
    mode: Allowlist
    allow:
      - api.anthropic.com       # LLM providers
      - api.openai.com
      - "*.whatsapp.com"        # messaging platforms
      - "*.telegram.org"
      - "*.discord.com"
      - registry.npmjs.org     # npm
processor:
  cores: 2.0
  memory: "1GB"
budget:
  max_duration: "24h"
audit:
  action_log: true
setup:
  - "npm install -g openclaw"

$ sudo envpod init openclaw -c pod.yaml
$ sudo envpod setup openclaw                  # runs npm install
$ sudo envpod vault openclaw set ANTHROPIC_API_KEY
$ sudo envpod run openclaw -- openclaw
$ sudo envpod audit openclaw                  # every action logged

Requirements: Linux kernel 5.15+ · cgroups v2 · OverlayFS · root (for namespace setup) · ~9 MB disk
Windows: install WSL2 with Ubuntu 24.04. macOS: install OrbStack (lightweight Linux VM).

Installation guide · Quick start · Tutorials · CLI Reference

Pricing

Free to use. Premium when you need more.

The full governance stack is free and self-hosted. Premium adds identity, OPA policy, fleet orchestration, and advanced security for production.

Available now

Free

forever · self-hosted · BSL 1.1

Everything you need to govern AI agents on your own machine.

Unlimited pods
Filesystem isolation — OverlayFS copy-on-write, diff, commit, rollback
Network isolation — per-pod DNS resolver, allowlist/denylist/remap
Process isolation — PID namespace, cgroups v2, seccomp-BPF
Encrypted credential vault — ChaCha20-Poly1305
Action queue — 20 built-in types, four approval tiers
Append-only audit log + static security scan
Web dashboard — fleet overview, live stats, diff from browser
Base pods + fast cloning (~8ms)
GPU, display & audio passthrough
Web display (noVNC) — desktop, audio streaming, file upload
Snapshots — create, restore, auto-checkpoint, promote to base
Interactive init wizard + 18 built-in presets
Port forwarding — localhost, public, pod-to-pod
Host app auto-mount — which + ldd, zero reinstall
Clone host user — your files, tools, dotfiles in the pod
Pod-to-pod discovery (envpod-dns daemon)
Health checks — auto-restart on failure, graceful shutdown
Port exposure firewall — only declared ports reachable on pod IP
Service registration — envpod service register for auto-start on boot
Budget enforcement — auto-kill after max_duration
Jailbreak test — built-in security boundary probe
68 example configs (web servers, AI agents, desktops, ML, security)

Install now →

Available now

Premium

$399 / seat / mo

per seat · self-hosted · billed monthly

Everything in Free, plus identity, policy, fleet orchestration, and advanced security.

Everything in Free, plus:
Agent identity — Ed25519 keypair per pod, JWT tokens, per-agent vault scoping
OPA policy engine — 7 Rego decision points: queue, vault, commit, DNS, L7, MCP, pod-to-pod
L7 pod-to-pod governance — HTTP method, path, and capability checks on inter-pod traffic
Vault proxy — transparent HTTPS MITM, agent never sees real API keys
L7 network policy — HTTP method and path filtering per agent
OIDC / SSO — Okta, Azure AD, Google, Keycloak. Three identity layers: human, pod, agent
Privilege escalation — agents request elevated access, scoped grants (one-time, session, permanent)
Infrastructure as Code — declarative fleet manifests with namespace isolation
Parallel clone + scale — CPU affinity distribution, wave-based batch executor
Sealed mode — zero host visibility, agent cannot see the host filesystem
Tailscale mesh — per-pod tailnet identity, remote access from anywhere
Dashboard control — create, destroy, and clone pods from the browser
Governance scorecard — 7-dimension GPA/CWA grading with auto-governance rules
Adversarial verification — envpod verify proves isolation holds under attack
OWASP ASI 10/10 attestation — envpod audit --owasp signed compliance report
OpenTelemetry — OTLP export to Grafana, Datadog, New Relic, Splunk, any backend
Grafana monitoring — pre-built dashboards for fleet, pod detail, security
DoH blocking — prevent DNS-over-HTTPS bypass to known resolvers
Priority support — direct line to the team

Get Premium →

Manage subscription · Lost your key?

See full CE vs Premium feature comparison →

Need fleet-scale governance, SSO, or compliance reporting? Talk to us about Enterprise →

The zero-trust governance layer
for AI agents.

One YAML file. A foundation, four walls, and a governance ceiling.

Works with every major AI agent

Where governed execution wins

Safe code generation

Controlled tool use

GPU-enabled agents

Fast fan-out

Kill switch

Auditability

33 tools. 2,000 lines. 8 weeks.
Or one pod.yaml.

The governance workflow

Define the pod

Agent runs inside the overlay

Every action goes through the queue

Credentials stay invisible

You review the diff

Nothing persists without your approval

See it in action

Quick Start

Governance

Credential Vault

Network Isolation

Desktop Pod

Fleet Management

Install

Pod Config

Desktop Config

Isolation is a wall. Governance is a policy.

Python & TypeScript SDKs

Benchmarks

Quick Start

Free to use. Premium when you need more.

Talk to us

Want envpod inside your platform?

Need fleet-scale governance?

Docker was built for microservices.
Envpod was built for agents.

The zero-trust governance layerfor AI agents.

One YAML file. A foundation, four walls, and a governance ceiling.

Works with every major AI agent

Where governed execution wins

Safe code generation

Controlled tool use

GPU-enabled agents

Fast fan-out

Kill switch

Auditability

33 tools. 2,000 lines. 8 weeks.Or one pod.yaml.

The governance workflow

Define the pod

Agent runs inside the overlay

Every action goes through the queue

Credentials stay invisible

You review the diff

Nothing persists without your approval

See it in action

Quick Start

Governance

Credential Vault

Network Isolation

Desktop Pod

Fleet Management

Install

Pod Config

Desktop Config

Isolation is a wall. Governance is a policy.

Python & TypeScript SDKs

Benchmarks

Quick Start

Free to use. Premium when you need more.

Talk to us

Want envpod inside your platform?

Need fleet-scale governance?

Docker was built for microservices.Envpod was built for agents.

The zero-trust governance layer
for AI agents.

33 tools. 2,000 lines. 8 weeks.
Or one pod.yaml.

Docker was built for microservices.
Envpod was built for agents.