Kefka is a Go library that gives AI agents disposable, sandboxed shell environments using Tigris bucket forks and WebAssembly. Each agent session gets its own copy-on-write bucket fork, a POSIX-compatible shell interpreter (mvdan.cc/sh), and real tools like Python, jq, and ripgrep compiled to WebAssembly. When the session ends, the fork is deleted. The approach avoids containers or VMs, running entirely in userspace and scaling to many simultaneous agent sessions. A live SSH demo lets anyone try the sandbox, with sessions automatically isolated and cleaned up on disconnect. POSIX conformance is validated against the 2018 spec, and Claude Code was used extensively to port coreutils from a TypeScript reference implementation.
Table of contents
Well, the thing is you don’t Dancing mad with sandboxes Running Python Making sure it’s compatible A demo Like, comment, subscribe Sort: