[Feature]: SmolVM Implementation Roadmap (AI Sandbox)

[aniketmaurya]

Problem statement

Building a secure, performant AI sandbox (SmolVM) requires clear feature boundaries across networking, filesystem, and runtime performance. Today, there is no unified roadmap covering:

• Filesystem abstraction: Lack of overlay and remote-backed (S3) filesystem support limits isolation and scalability of sandboxed environments.
• API key injection: SmolVM can intercept and inject API key on network calls. This will completely remove the API keys from the system and access to AI agents.

Done

• ✅ Built-in file upload: smolvm upload FILEPATH --vm-id
• ✅ Network isolation: No controls for ingress/egress, URL allowlisting, HTTP method restrictions, or toggling full internet access — making it hard to safely expose SmolVM to untrusted workloads.
• ✅ File syncing

This affects AI engineers and developers running sandboxed code execution at scale.

Proposed solution

Deliver the following capabilities across three tracks:

🌐 Network

• Control ingress and egress
• Allow users to specify URL prefix allowlist
• HTTP method restrictions
• Full internet access flag

🗂️ Filesystem

• OverlayFS support
• S3-based filesystem integration

⚡ Speed and Optimizations

• Reduce boot time
• Reduce SSH connection time

Alternatives considered

• Using existing container runtimes (e.g., Docker, gVisor) — these don't offer the lightweight, AI-first VM experience SmolVM targets.
• Third-party networking proxies — adds operational complexity vs. native controls.

Additional context

This roadmap is intended to guide contributors through architectural decisions and scheduling for SmolVM feature delivery. Please add further suggestions or priorities in the comments.

[aniketmaurya]

This might be relevant - https://slicervm.com/blog/programmable-microvm-egress/