When developing agents, especially AI- or LLM-based, it's important to consider isolation, performance, and execution location (server vs client). We discussed the following concepts:
- Server-hosted runtimes: Node, Bun, Deno
- Server-side sandbox: Docker, gVisor, MicroVMs
- WebAssembly (WASM): server- or client-side
- WebContainers: full Linux-like environment in the browser
- Serverless/Edge runtimes: Cloudflare Workers, Deno Deploy, Vercel Edge Functions
Node / Bun / Deno
- Runs directly on the server
- Fast startup, full API access
- No isolation: all agents share the same host
- Ideal for local experiments or trusted agents
Links
Docker / gVisor / Firecracker
- Strong isolation per agent
- Allows different Node versions and environments
- Higher resource usage
- Startup and management more complex than pure JS runtimes
Links
Server-side (Wasmtime / Wasmer)
- Lightweight sandbox, secure, isolated
- Fast, portable, can run multiple agents in parallel
- No Docker needed
Client-side
- Runs in the browser or WebContainers
- Fully sandboxed, offloads computation to user device
- Limited to browser APIs and device resources
Links
- Full Linux-like environment in the browser
- Node/Bun/Deno runtime available
- CLI + GUI possible
- Agents run isolated, fully sandboxed
- Computation runs on the user device — great for demos, education, and benchmarking
- Free for small projects (StackBlitz)
- Commercial license needed for profit-oriented projects
Links
- Cloudflare Workers, Deno Deploy, Vercel Edge Functions
- Fast startup, isolated execution
- No server management required
- Limits on execution time and API access
Links
| Approach | Isolation | Speed | Location | Use Case |
|---|---|---|---|---|
| Node / Bun / Deno | None | Very fast | Server | Local experiments, trusted agents |
| Node + Process Sandbox | Medium | Fast | Server | Multiple agents, moderate isolation |
| Docker / gVisor | Strong | Medium | Server | Untrusted agents, multiple environments |
| WASM | Strong | Very fast | Server or Client | Sandbox, lightweight agents, portability |
| WebContainers | Strong | Very fast | Client (Browser) | Sandbox + GUI + Terminal, education, benchmarking |
| Edge / Serverless | Strong | Very fast | Cloud | API calls, lightweight agents, scalable |
Takeaways:
- Trusted, fast experiments → Node / Bun / Deno directly on server
- Secure, isolated agents → WASM on server or WebContainer in browser
- Client offload / demos / benchmarking → WebContainer or WASM in browser
- Production, untrusted agents → Docker / gVisor
- Node web server runs in WebContainer
- Terminal + GUI available
- Agents can run isolated in the container
- Example:
// index.js
import express from 'express';
import { exec } from 'child_process';
const app = express();
const PORT = 3000;
app.get('/', (req, res) => res.send('Hello from WebContainer!'));
app.get('/run-agent', (req, res) => {
exec('node agent.js', (err, stdout, stderr) => {
if (err) return res.send(err.message);
res.send(`<pre>${stdout}</pre>`);
});
});
app.listen(PORT, () => console.log(`Server running on port ${PORT}`));