Levain LabsLevain Labs
Platform

Sandboxes

Safe, isolated execution.

A sandbox is the isolated environment where an agent's code runs. Each run gets its own sandbox, provisioned at start and torn down at the end.

What isolation gives you

  • Containment. A run can't affect other runs, other workspaces, or the host.
  • Reproducibility. Every run starts from the same base image with the same dependencies.
  • Resource quotas. CPU, memory, disk, and network are bounded per sandbox.

What's inside

Every sandbox is provisioned with the things the agent needs and nothing else:

Sandboxes are ephemeral by default: they're destroyed when the run finishes. Anything the agent needs to keep goes into the session or a durable resource.

Persistent workspaces

Some agents build up a working set that's expensive to recreate — a cloned repository, downloaded datasets, a report that evolves across runs. For those, switch the agent to a persistent workspace in its settings (or set workspace_scope: "agent" in the agent's config via the API). The agent then keeps one durable working directory that carries over between conversations and runs, instead of starting empty each time.

For the built-in Levain assistant, persistence is per person: each workspace member gets their own durable working directory with the assistant, so your files carry across your conversations without appearing in anyone else's. In Slack this follows your Slack profile email — it should match the email you use with Levain.

Three things change when it's on:

  • Runs execute one at a time per volume. A dispatch while another run holds the same workspace returns 409. Scheduled fires that collide simply coalesce onto the running one, and in Slack the agent asks you to resend in a moment. With per-person persistence this only ever means your own concurrent conversations take turns — never someone else's.
  • State persists. Files an earlier run left behind — including anything a misled run wrote — stay visible to every future run. A self-serve reset is on the way; until then, reach out and we'll wipe the workspace for you.
  • Storage accumulates. Nothing expires automatically; large datasets sit on the volume until the workspace is wiped or the agent is deleted.

Fresh-by-default remains the recommendation for agents that don't need it: a clean workspace per conversation is easier to reason about and runs concurrently.

Inspecting a sandbox

While a run is live, you can query its sandbox to see real-time resource use:

Direct sandbox interaction is uncommon in day-to-day use; the endpoints above are mainly for inspection and debugging.

On this page