A developer reverse-engineered Docker's undocumented microVM API and released an open-source Sandbox Agent SDK for orchestrating coding agents. The discovery reveals Docker quietly shipped virtual machine management capabilities alongside its Sandbox feature, which runs on microVMs rather than traditional containers.

Containers share the host kernel, making them unsuitable for untrusted code execution. MicroVMs provide separate kernels for stronger isolation, which is why AWS Lambda and other sandbox providers rely on them. Docker Sandboxes aim to bring this security model to AI agents like Claude Code and Codex, allowing them to run with full permissions safely.

The reverse-engineered API exposes three endpoints through the sandboxd daemon: GET /vm, POST /vm, and DELETE /vm/{vm_name}. Each microVM gets its own Docker daemon socket for maximum isolation, and the system routes network traffic through a filtering proxy. The implementation requires Docker Desktop 4.58+ on macOS or Windows.

The Sandbox Agent SDK handles session lifecycle, agent communication, and multi-agent support, abstracting the complexity of the raw microVM API. This opens secure isolation for any workload beyond Docker's officially supported agents, enabling AI coding assistants, untrusted code execution, and multi-tenant plugin isolation.