vmette 0.5.0

Run untrusted agents in a hardware-isolated Linux microVM on macOS — a security boundary built on Apple's Virtualization.framework
Documentation

vmette

A security boundary for the age of local agents — run untrusted agents on the machines your employees already have, without trusting the agent with the machine.

vmette is a headless Linux microVM sandbox for macOS, built on Apple's Virtualization.framework (VZ) via the objc2-virtualization bindings. It boots a hardware-isolated Linux guest in ~1 second and gives the agent a real machine — shell, filesystem, network — that is not your machine: the boundary is the hypervisor, and the guest reaches the host filesystem or network only where you explicitly grant it.

This crate is the core library. It exposes three faces from one build:

  • lib — a normal Rust dependency: Config + run() for a one-shot workload, or the Session primitive for a long-lived VM.
  • cdylib (libvmette.dylib) + staticlib (libvmette.a) — a C ABI (header at include/vmette.h, generated by cbindgen from src/ffi.rs) for non-Rust consumers.
use vmette::{Config, run};

// Boot a guest from a kernel + initramfs and run a one-shot command.
let mut cfg = Config::new("vmlinuz-virt", "initramfs-vmette");
cfg.exec_cmd = Some("echo hello from the guest".into());

let out = run(&cfg)?;
assert_eq!(out.exit_code, 0);

Rootfs comes from a pluggable provider (local directory, OCI/Docker image, tarball, or prebuilt squashfs block image); the default registry lives in the vmette-providers crate.

Boot assets

Config::new needs a Linux kernel (vmlinuz-virt) and vmette's repacked initramfs (initramfs-vmette). These ~10 MB blobs are not shipped on crates.io — get them from a GitHub release tarball (under assets/) or build them with git clone … && make assets init, then pass their paths to Config::new (or let the vmette-assets crate discover them via $VMETTE_ASSETS_DIR / ./assets). Guest assets are x86_64-only. See docs/API.md.

Platform

macOS only. Booting a VM requires codesigning the host binary with the com.apple.security.virtualization entitlement. Snapshot/restore is Apple-Silicon-only. The crate does not build on non-Apple targets — docs.rs renders it for aarch64-apple-darwin.

Regenerating the C header

The header is checked in. Refresh it after changing src/ffi.rs with:

cargo build -p vmette --features regenerate-header   # or: make header

Without that feature, cbindgen is not part of the build — consumers compile neither it nor syn.

See the project README and docs/ for the full CLI, API, daemon, and MCP documentation. MIT licensed.