Concepts

The sandbox

The isolated cloud environment agents run in, and how to detect it.

Every agent runs in its own cloud sandbox: an isolated Linux container created for the run, with the run's repositories already cloned, and torn down when the run finishes. Nothing persists between runs, so every run starts from a known-clean state and nothing an agent installs or breaks can leak into the next one.

What's inside

The base image builds on python:3.13: Python 3.13 with pip, Node.js 22 with npm, git, the GitHub CLI (gh), curl, and a C/C++ toolchain (make, g++). Repositories are cloned before the agent starts, and gh is already authenticated against them.

Each sandbox gets 1 vCPU, 4096 MiB of memory, and a one-hour run timeout. sandbox.compute sizes all three, up to 16 vCPU, 64 GiB, and 24 hours (see Size the compute).

Beyond that, an agent can install tools at run time, or the config can bake them into the image and run setup hooks.

Credentials are scoped and die with the sandbox

The sandbox holds no long-lived secrets. Its GitHub token is a scoped installation token; its model calls route through the Ellipsis proxy with a synthetic key (a real Anthropic key never enters the sandbox); its Ellipsis API token can read but not modify your stored sandbox variables. All of them are revoked when the sandbox is torn down.

Detecting the sandbox

Ellipsis sets ELLIPSIS_SANDBOX_ID in every sandbox, and nowhere else. If your agents need to know whether they are running on the Ellipsis cloud, have them check ELLIPSIS_SANDBOX_ID.

Environment variables

Anything named under an agent's sandbox.variables is an ordinary environment variable in that run: $NPM_TOKEN in shell, os.environ["NPM_TOKEN"] in Python. Only the variables an agent names reach its sandbox. See Bring secrets into a sandbox.