Secure Node.js Execution Without a Sandbox

Name: Secure Exec
Author: Rivet

A lightweight library for secure Node.js execution.
No containers, no VMs — just npm-compatible sandboxing out of the box.
Powered by the same tech as Cloudflare Workers.

Get Started

Give your AI agent secure code execution

Expose secure-exec as a tool with the Vercel AI SDK. Your agent can execute arbitrary code without risking your infrastructure.

agent.ts

import { generateText, stepCountIs, tool } from "ai";
import { anthropic } from "@ai-sdk/anthropic";
import { NodeRuntime, createNodeDriver, createNodeRuntimeDriverFactory } from "secure-exec";
import { z } from "zod";

// Create a sandboxed runtime
const runtime = new NodeRuntime({
  systemDriver: createNodeDriver({
    permissions: {
      fs: () => ({ allow: true }),
      network: () => ({ allow: true }),
    },
  }),
  runtimeDriverFactory: createNodeRuntimeDriverFactory(),
  memoryLimit: 64,
  cpuTimeLimitMs: 5000,
});

// Expose as an AI SDK tool
const { text } = await generateText({
  model: anthropic("claude-sonnet-4-6"),
  prompt: "Calculate the first 20 fibonacci numbers",
  stopWhen: stepCountIs(5),
  tools: {
    execute: tool({
      description: "Run JavaScript in a secure sandbox. Assign the result to module.exports to return data.",
      inputSchema: z.object({ code: z.string() }),
      execute: async ({ code }) => runtime.run(code),
    }),
  },
});

console.log(text);

Why Secure Exec

Give your AI agent the ability to write and run code safely.

No infrastructure required

No Docker daemon, no hypervisor, no orchestrator. Runs anywhere Node.js, Bun, or an HTML5 browser runs. Deploy to Lambda, a VPS, or a static site — your existing deployment works.

Node.js & npm compatibility

fs, child_process, http, dns, process, os — bridged to real host capabilities, not stubbed. Run Express, Hono, Next.js, and any npm package.

Compatibility matrix →

Built for AI agents

Give your AI agent the ability to write and run code safely. Works with the Vercel AI SDK, LangChain, and any tool-use framework.

Deny-by-default permissions

Filesystem, network, child processes, and env vars are all blocked unless explicitly allowed. Permissions are composable functions — grant read but not write, allow fetch but block spawn.

Configurable resource limits

CPU time budgets and memory caps. Runaway code is terminated deterministically with exit code 124 — no OOM crashes, no infinite loops, no host exhaustion.

Powered by V8 isolates

The same isolation primitive behind Cloudflare Workers for Platforms and every browser tab. Battle-tested at scale by the infrastructure you already trust.

Benchmarks

V8 isolates vs. sandboxes.

Cold startWhat's measured: Time from requesting an execution to first code running.

Why the gap: Secure Exec spins up a V8 isolate inside the host process. No container, no VM, no network hop. Sandboxes must boot an entire container or microVM, allocate memory, and establish a network connection before code can run.

Sandbox baseline: e2b, the fastest provider on ComputeSDK as of March 18, 2026.

Secure Exec: Median of 10,000 runs (100 iterations × 100 samples) on Intel i7-12700KF.

Our benchmarks →

Lower is better

Secure Exec

17.9 ms176x faster

Fastest sandbox

3,150 ms

Memory per instanceWhat's measured: Memory footprint added per concurrent execution.

Why the gap: V8 isolates share the host process and its V8 engine. Each additional execution only adds its own heap and stack (~3.4 MB). Sandboxes allocate a dedicated container with a minimum memory reservation, even if the code inside uses far less.

What this means: On a 1 GB server, you can run ~210 concurrent Secure Exec executions vs. ~4 sandboxes.

Sandbox baseline: 256 MB, the smallest minimum among popular providers (Modal, Cloudflare Containers) as of March 18, 2026.

Secure Exec: 3.4 MB, the converged average per execution under sustained load.

Our benchmarks →

Lower is better

Secure Exec

~3.4 MB75x smaller

Sandbox provider minimum

~256 MB

Cost per execution-secondWhat's measured: `server price per second ÷ concurrent executions per server`

Why it's cheaper: Each execution uses ~3.4 MB instead of a 256 MB container minimum. And you run on your own hardware, which is significantly cheaper than per-second sandbox billing.

Sandbox baseline: Cloudflare Containers, the cheapest sandbox provider benchmarked. Billed at $0.0000025/GiB·s with a 256 MB minimum (March 18, 2026).

Secure Exec: 3.4 MB baseline per execution, assuming 70% utilization. Select a hardware tier above to compare.

Our benchmarks → · Full cost breakdown →

Lower is better

Secure Exec

$0.000011/s56x cheaper

Cheapest sandbox

$0.000625/s

Secure Exec vs. Sandboxes

Not every workload needs a full OS. Secure Exec gives you V8-level isolation for code execution — no container required.

Run untrusted code (Node.js, Python) inside your backend process

✓Native V8 performance

✓Granular deny-by-default permissions

✓Just npm install — no vendor account

✓Run on any cloud or hardware

✓No egress fees

✓No API keys to manage

Sandbox

Spin up a full OS with root access, system packages, and persistent disk

✓Native container performance

✗Coarse-grained permissions

✗Vendor account required

✗Hardware lock-in

✗Per-GB egress fees

✗API keys to manage

Full comparison guide

Need a full sandboxed operating system? We've got that too.

Run coding agents in sandboxes. Control them over HTTP.

Supports Claude Code, Codex, OpenCode, Amp, and Pi.

Works with

Learn more

FAQ

Secure Exec runs untrusted code inside V8 isolates — the same isolation primitive that powers every Chromium tab and Cloudflare Workers. Each execution gets its own heap, its own globals, and a deny-by-default permission boundary. There is no container, no VM, and no Docker daemon — just fast, lightweight isolation using battle-tested web technology. Architecture →

No. Secure Exec is a pure npm package — npm install secure-exec is all you need. It has zero infrastructure dependencies: no Docker daemon, no hypervisor, no orchestrator, no sidecar. It runs anywhere Node.js or Bun runs.

We are actively validating serverless platforms, but Secure Exec should work everywhere that provides a standard Node.js-like runtime. This includes Vercel Fluid Compute, AWS Lambda, and Google Cloud Run. Cloudflare Workers is not supported because it does not expose the V8 APIs that Secure Exec relies on.

Use Secure Exec when you need fast, lightweight code execution — AI tool calls, code evaluation, user-submitted scripts — without provisioning infrastructure. Use a sandbox (e2b, Modal, Daytona) when you need a full operating-system environment with persistent disk, root access, or GPU passthrough. Full comparison →

Yes. Secure Exec supports dynamic module installation via npm inside the execution environment.

Yes. Secure Exec bridges Node.js APIs including http, net, and child_process, so frameworks like Express, Hono, and Next.js work out of the box. For production deployments, pair Secure Exec with Rivet Actors to get built-in routing, scaling, and lifecycle management for each server instance.

Yes. For orchestrating stateful, long-running tasks, we recommend pairing Secure Exec with Rivet Actors. Rivet Actors provide durable state, automatic persistence, and fault-tolerant orchestration — so each long-running task survives restarts and can be monitored, paused, or resumed without you building that infrastructure yourself.

AI agent code execution and tool use
User-facing dev servers (Express, Hono, Next.js)
MCP tool-code execution
Sandboxed plugin / extension systems
Interactive coding playgrounds

Yes. Most Node.js core modules work — including fs, child_process, http, dns, process, and os. These are bridged to real host capabilities, not stubbed. Compatibility matrix →

Yes. Secure Exec includes a virtual kernel with a system bridge that supports a granular permission model. Filesystem, network, child processes, and environment variables are all available — gated behind deny-by-default permissions.

Yes. Secure Exec runs on native V8 isolates, so your code is JIT-compiled by V8's TurboFan optimizing compiler — the same pipeline that powers Chrome and Node.js. This means full optimization tiers, inline caching, and speculative optimization out of the box.

WASM-based runtimes like QuickJS (via quickjs-emscripten) compile a separate JS engine to WebAssembly, which means your code runs through an interpreter inside WASM — not native V8. Secure Exec uses native V8 isolates directly, so you get the same JIT-compiled performance as JavaScript running on the host. No interpretation overhead, no WASM translation layer, and full Node.js API compatibility.

For those about to execute, we salute you.

Install Secure Exec, create a runtime, and execute untrusted code. All in a few lines of TypeScript.

Read the Docs View on GitHub