VELA

Product Introduction

1. Definition: VELA is an open-source, secure execution runtime for AI agents, SaaS platforms, and any application needing to run untrusted code. It is technically a policy-driven execution guard that leverages Firecracker micro-VMs for hardware-level isolation and HMAC capability tokens for cryptographic authorization, providing a sandboxed environment far superior to traditional subprocess or container-based methods.

2. Core Value Proposition: VELA exists to solve the critical security risk of AI agents executing dynamically generated or untrusted code. It provides secure code execution with fine-grained control, ensuring developers can harness the power of autonomous AI without exposing their host systems, data, or infrastructure to compromise. It is the secure execution layer built for modern AI agent frameworks.

Main Features

1. Firecracker Micro-VM Isolation:

   • How it works: Each code execution request spawns a fresh, isolated virtual machine from a pre-warmed pool powered by Firecracker, a lightweight VMM (Virtual Machine Monitor). The host OS kernel is never exposed. Runs complete in ~150ms (p50 latency).
   • Technology: Built on KVM (Kernel-based Virtual Machine) for true hardware-level sandboxing. Ensures hermetic sealing between executions, preventing any state or data leakage between runs.

2. HMAC Capability Tokens:

   • How it works: Authorization is managed through cryptographically signed tokens. Each token explicitly declares permissions for a single execution: which filesystem paths are accessible (e.g., /tmp), whether network access is permitted, memory limits, and execution timeouts.
   • Technology: Uses HMAC-SHA256 signatures to create tamper-proof, scoped capability-based security. This allows for precise, per-request permission grants, moving beyond coarse, always-on container permissions.

3. Policy Engine & Intrusion Detection:

   • How it works: Developers define security rules in a YAML policy file (e.g., deny rm -rf, block curl) and can require human approval for sensitive operations. The system monitors syscalls in real-time to flag anomalies like spikes in privileged calls, access to sensitive files (/etc/shadow), or connections to private networks.
   • Technology: A deny-list approach to security, complemented by active runtime monitoring that generates structured alerts, forming a comprehensive intrusion detection layer.

4. Full JSONL Audit Trail:

   • How it works: Every event within an execution—spawning, policy checks, stdout/stderr, termination status—is recorded in an append-only JSONL log. This log is queryable by execution ID, broadcast to a live stream socket, and can be piped to analytics platforms.
   • Technology: Provides complete execution observability and compliance. The structured format is easily integrated with logging stacks (e.g., the ELK stack) and monitoring systems (Prometheus metrics endpoint included).

5. Framework Adapters & Integrations:

   • How it works: VELA provides ready-to-use adapters for popular AI agent frameworks. For example, from langchain_aegis import AegisPythonREPL gives LangChain a secure Python REPL tool. Similar adapters exist for LlamaIndex, CrewAI, and OpenAI function tools.
   • Technology: Abstracts the complex security and isolation layer behind a simple, familiar API. One import statement replaces hundreds of lines of custom orchestration code.

Problems Solved

1. Pain Point: The massive security risk of running AI-generated code directly on a host server via raw subprocess calls or basic Docker containers. This exposes systems to jailbreak exploits, data exfiltration, and destructive operations with no audit trail. The associated cold start overhead and management complexity of traditional containers are also addressed.

2. Target Audience:

   • AI/ML Platform Engineers: Building and securing platforms where multiple AI agents or users submit code for execution.
   • Developers of AI Agent Frameworks: (e.g., LangChain, LlamaIndex integrators) needing a secure backend runtime.
   • SaaS Companies: Offering code execution features in their products (e.g., online IDEs, coding tutors, data analysis tools).
   • DevSecOps Teams: Responsible for implementing zero-trust principles and maintaining compliance in automated CI/CD pipelines.

3. Use Cases:

   • Securely running code in AI agents within platforms like LangChain or LlamaIndex.
   • Building a secure, multi-tenant SaaS where customers can run arbitrary scripts.
   • Replacing brittle Docker orchestration for ephemeral code execution in development or testing.
   • Implementing a safe playground for users to test and run code snippets online.
   • Ensuring compliance and maintaining an audit log for all automated code execution in a CI/CD environment.

Unique Advantages

1. Differentiation vs. Competitors:

   • vs. Raw Subprocess/Docker: Provides true, hardware-level isolation (Firecracker) instead of shared kernel risk. Offers much faster cold starts (~150ms vs. 1-3s) and a built-in, fine-grained audit trail and policy engine, which subprocess lacks entirely.
   • vs. Hosted Sandboxes: As an open-source, MIT-licensed tool, it avoids vendor lock-in, opaque pricing, and data privacy concerns. Organizations retain full control and visibility over their execution environment and logs.
   • All-in-One: It combines isolation, authorization, policy, intrusion detection, and observability into a single cohesive package, unlike fragmented solutions requiring multiple tools.

2. Key Innovation: The integration of Firecracker micro-VMs for lightweight, strong isolation with a cryptographic capability token system (HMAC) for permissioning. This combination allows for per-request, fine-grained security controls that are both performant and verifiable, moving beyond the all-or-nothing permissions of traditional containers.

Frequently Asked Questions (FAQ)

1. How is VELA different from using Docker for code execution? VELA uses Firecracker micro-VMs for hardware-level, per-execution isolation, whereas Docker shares the host kernel, posing a greater security risk. VELA also offers significantly faster cold starts (~150ms), built-in HMAC capability tokens for fine-grained permissions, and an immutable JSONL audit trail by default—features Docker does not provide natively.

2. Is VELA truly open-source and free for commercial use? Yes, VELA is 100% open-source under the MIT License. This means it is free forever for self-hosting, you can audit and contribute to the code, and you can use it in commercial products without restrictions or licensing fees.

3. What AI agent frameworks does VELA support? VELA provides official framework adapters for LangChain, LlamaIndex, CrewAI, and OpenAI function tools, allowing for seamless "plug-and-play" integration. It also offers a Python client (both sync and async) and a REST API for custom integrations.

4. How does the HMAC capability token system work? An HMAC-SHA256 signed token is generated for each execution request. This token explicitly declares a scoped set of permissions, such as allowed filesystem paths (e.g., ["/tmp"]), network access (False), memory limits, and timeout. The Vela daemon cryptographically verifies this token before spawning a micro-VM, ensuring the code runs only within its granted boundaries.

5. What does the audit trail include and how can I access it? The JSONL audit trail records every execution event, including the policy applied, token verification, start/stop times, stdout/stderr output, and termination reason. You can query logs by execution ID, access them via a live stream socket, or export them to monitoring systems using the provided Prometheus metrics endpoint.