deno-sandbox

# Deno Sandboxes

## Overview

Deno Sandboxes provide secure, isolated environments for running untrusted code. Each sandbox runs in its own Linux microVM (using Firecracker, the same technology as AWS Lambda) with a separate filesystem, network, and process space. This makes them ideal for code playgrounds, AI agent tool execution, and multi-tenant applications.

Reference: https://deno.com/deploy/sandboxes

## When to Use Sandboxes

Use Deno Sandboxes when you need to:
- Run user-submitted code safely
- Execute AI-generated code
- Build code playground platforms
- Create multi-tenant code execution environments
- Run automated tests in isolation

## Getting Started

### Installation

```bash
deno add jsr:@deno/sandbox
```

### Basic Usage

```typescript
import { Sandbox } from "@deno/sandbox";

// Create a sandbox (auto-disposed when scope ends)
await using sandbox = await Sandbox.create();

// Run a command
const child = await sandbox.spawn("echo", { args: ["Hello from sandbox!"] });
const output = await child.output();

console.log(new TextDecoder().decode(output.stdout));
// Output: Hello from sandbox!
```

## Core Concepts

### Sandbox Lifecycle

Sandboxes are resources that should be disposed when done. Use `await using` for automatic cleanup:

```typescript
await using sandbox = await Sandbox.create();
// Sandbox is automatically destroyed when this scope ends
```

Or manually dispose:

```typescript
const sandbox = await Sandbox.create();
try {
  // Use sandbox
} finally {
  await sandbox[Symbol.asyncDispose]();
}
```

### Running Processes

The `spawn` method runs commands inside the sandbox:

```typescript
const child = await sandbox.spawn("deno", {
  args: ["run", "script.ts"],
  stdin: "piped",   // Enable stdin
  stdout: "piped",  // Capture stdout
  stderr: "piped",  // Capture stderr
});

// Wait for completion and get output
const output = await child.output();
console.log("Exit code:", output.code);
console.log("Stdout:", new TextDecoder().decode(o