Architecture

Secure Exec runs untrusted guest code inside a fully virtualized VM whose kernel services every guest syscall. At a glance:

• Kernel-owned VM: A kernel owns the virtual filesystem, process table, and socket table, plus pipes, PTYs, permission policy, and DNS. There is no real host filesystem, host socket, or host process available to the guest.
• Guest runs in an executor: Guest JavaScript runs in a V8 isolate and other guest code runs in a WASM executor, holding no real host capabilities of their own.
• Sidecar mediates every syscall: A trusted sidecar is the enforcement point. Every guest syscall flows through kernel-owned paths it controls, where policy and limits are checked.
• Normal Linux semantics: The VM presents POSIX-like behavior to guest programs, so normal tools run unmodified while staying fully virtualized.

Full reference

The canonical, in-depth architecture reference, including packages, crates, trust boundaries, and syscall paths, is owned by agentOS.

agentOS: Architecture The complete architecture reference, including components, trust boundary, and syscall paths.