Cloud sandboxes for code and agents
A safe place
to run anything.
Shells runs isolated language sandboxes on Omega — created in seconds, bounded by Keystone, controlled down to the last byte of filesystem state. Humans get a console. Agents get MCP.
The console
01
Your fleet, live.
Every shell in the tenant — status, runtime class, region, age — polling live from Omega. Nothing hides behind a refresh button.
02
Pick a runtime. Run.
Language preset — bash, node, python, rust, go. Isolation class — wasm, container, microvm. Network — sealed by default. One dialog, seconds to running.
03
Every action, on the record.
Restart, snapshot, fetch logs, reinstall the OS — each action lands in the always-dark activity terminal. Stop and wipe state live in a danger zone, deliberately out of thumb's reach.
04
Credentials that expire by design.
Term credentials are minted short-lived, shown masked, and die in minutes. Copy what you need now — there is nothing durable to steal later.
05
Dark mode, naturally.
The console follows your system — and the terminal surface stays dark in both themes, because logs belong on black.
MCP-first automation
Agents run code here,
so it doesn't run on you.
Shells ships an MCP server as a first-class interface — not an afterthought. Every agent invocation flows through one gate, checked against the shells.agent.invoke entitlement plus the underlying instance permission. Same boundary as humans. Zero side doors.
shells_list
Enumerate every shell the caller can see — scoped by Keystone tenant, never wider.
shells_create
Spin up a sandbox with language, runtime class, and network mode — same contract as the console dialog.
shells_action
Run lifecycle capabilities — restart, snapshot, logs, reinstall_os, stop, wipe_state — with per-instance permission checks.
shells_term
Mint short-lived live-session credentials. They expire in minutes; agents re-mint instead of hoarding.
POST /api/agent/invoke · gated by shells.agent.invoke
Developer surface
One product, three doors.
A typed TypeScript SDK, a plain REST API, and an MCP server — all fronting the same Omega-backed facade with the same Keystone checks. Pick the door that fits the caller; the boundary never changes.
import ShellsClient from "@l1fe/shells"; const shells = new ShellsClient({ baseUrl: "https://app.shells.sh", token: process.env.SHELLS_API_TOKEN, }); // create → act → mint — fully typed const shell = await shells.create({ language: "rust", runtime: "microvm" }); await shells.action(shell.id, "snapshot"); const term = await shells.term(shell.id); await shells.action(shell.id, "wipe_state");
# create a shell curl -X POST https://app.shells.sh/api/shells \ -H "authorization: Bearer $SHELLS_API_TOKEN" \ -d '{"language":"python","runtime":"wasm","network":"sealed"}' # run a lifecycle action curl -X POST https://app.shells.sh/api/shells/$ID/action \ -d '{"capability":"logs"}' # mint short-lived term credentials curl -X POST https://app.shells.sh/api/shells/$ID/term
// claude / any MCP client — config { "mcpServers": { "shells": { "command": "npx", "args": ["@l1fe/shells-mcp"], "env": { "SHELLS_API_TOKEN": "..." } } } } // tools: shells_list · shells_create · shells_action · shells_term
Isolation & lifecycle
Strong walls. Clean exits.
Choose how hard the boundary is at create time, keep the network sealed unless you say otherwise, and end every experiment the way it started: from zero. Destructive controls are separated, confirmed, and recorded.
Runtime classes
wasm
Capability-scoped WebAssembly. Near-instant start, smallest possible surface.
container
Familiar toolchains and filesystems with namespace isolation.
microvm
Hardware-virtualized boundary for code you trust least.
Network modes
sealed
No egress at all. The default, because it should be.
internet
Opt-in outbound access when the workload genuinely needs it.
localhost
Loopback only — services can talk to themselves, nothing else.
Lifecycle capabilities
logs
Pull execution logs on demand through the action API.
restart
Bounce the session without losing the deployment.
snapshot
Capture state before risky work — restore points on purpose.
reinstall_os
Rebuild the base image. A clean machine, same identity.
stop
End the session. Deliberate, confirmed, logged.
wipe_state
Destroy filesystem state entirely. Nothing lingers.
Comparisons
We wrote the honest version.
Isolation model, agent integration, lifecycle safety, credential handling, pricing — including the cases where you should pick the other product. Seriously.
Pricing
Billed like a meter, not like a mortgage.
Sandboxes are ephemeral. Your bill should be too.
- Per-second metering — pay for runtime, not for idle fear
- Free tier that actually runs real workloads
- Rates scale by isolation class: wasm < container < microvm
- Enterprise: custom regions, SSO, and tenancy contracts
Run something risky.
Safely.
Spin up an isolated sandbox in seconds. Wipe it without ceremony. Sleep fine either way.