Features

Provider Landscape

Provider Landscape

Read when:

  • comparing Crabbox with adjacent sandbox, dev-environment, or microVM tools;
  • deciding whether a competitor should become a first-class provider;
  • planning provider capability work without live provider credentials.

This is a product and architecture map, not a benchmark. External products move quickly, so use this page to decide the next Crabbox seam to harden, then verify current behavior against the provider docs before adding code.

#Core Position

Crabbox should own the provider-neutral contract: selecting a target, syncing a checkout, running commands, returning proof, exposing reachability, and cleaning up capacity. It should not copy every adjacent product's control plane.

That means:

  • support stable execution substrates as providers;
  • expose shared workflow capabilities through crabbox providers and
  • crabbox providers recommend;

  • keep runtime-shape labels provider-neutral (managed-sandbox,
  • delegated-command, ssh-host, worker-module) instead of copying one vendor's control-plane terms;

  • keep reachability labels provider-neutral (provider-url, ssh-tunnel,
  • tailnet-peer, tailnet-egress) so preview URL, tailnet, and SSH tunnel workflows can be compared without provider-specific docs scraping;

  • use ssh or external for tools that already produce a normal host contract;
  • defer first-class support for runtimes whose useful behavior is still too
  • product-specific to test offline.

#Landscape

SegmentExternal systemsCrabbox fit todayImprove next
CI proof runnersBlacksmith Testbox, Semaphore, GitHub Actions-style runnersStrong fit. Crabbox already separates proof-runner semantics from generic VM semantics through ci-proof-runner providers and providers recommend ci-proof.Keep run proof, artifacts, downloads, and status records normalized across providers.
Hosted agent sandboxesE2B, Vercel Sandbox, Modal Sandboxes, Cloudflare Sandbox SDK, OpenSandbox, smolvm, Upstash BoxGood fit when the provider owns process execution and files. These map to delegated-run better than SSH leases.Improve artifact/download parity, preview URL reporting, timeout/error taxonomy, and optional MCP attachment routing.
Remote developer environmentsCoder, Daytona, Namespace Devbox, CodeSandbox, Morph, OpenComputer, Codespaces-like toolsGood fit when Crabbox can either SSH into the workspace or delegate a command with archive sync. providers recommend remote-dev is the routing surface.Add clearer live smoke docs per provider, surface pause/resume support, and keep local-editor, remote-compute flows distinct from CI proof.
Forkable/versioned workspacesMitos, Firecracker snapshot systems, local-container, ParallelsPartial fit. Crabbox already has provider-neutral checkpoint/fork/restore capability names and checkpoint fan-out via checkpoint fork --count, but only local providers advertise the fast path today.Harden versioned-workspace behavior before adding any runtime-specific fork API. Do not add Mitos-only flags.
Worker and module runtimesCloudflare Dynamic Workers, Cloudflare Sandbox SDK, Vercel/edge-adjacent runtimesNarrow fit. cloudflare-dynamic-workers is a module-run provider; generic container sandboxes need a separate lifecycle and file/process contract.Keep worker-runtime separate from Linux sandbox execution unless the provider can expose files, process status, logs, preview URLs, and cleanup.
Self-hosted virtualizationProxmox, XCP-ng, Incus, KubeVirt, local VMsStrong fit when Crabbox gets a normal SSH lease and lifecycle hooks.Keep provider-specific reconciliation behind adapters; no provider-specific branching in core.
GPU and ML executionRunPod, NVIDIA Brev, W&B, Modal, cloud GPU VMsMixed fit. SSH leases are best for debugging; delegated providers are best for provider-owned jobs.Normalize result evidence and cost/usage metadata before chasing more GPU-specific launch paths.

#Mitos Decision

Do not add first-class Mitos support yet.

Mitos is strategically interesting because it targets forkable Firecracker microVM swarms, MCP, and copy-on-write fan-out from a warm running machine. That is a different contract from most Crabbox providers. If Crabbox adds mitos today, the likely failure mode is ugly: Mitos-specific flags, Kubernetes and KVM assumptions leaking into core, and tests that cannot prove the useful behavior without a live cluster.

The better path is to make the generic seams real first:

  • workspace-checkpoint, workspace-fork, workspace-restore, and
  • provider-snapshot keep forkable workspace language provider-neutral.

  • runtime filter values like managed-sandbox, delegated-command, and
  • worker-module describe the execution shape without implying Mitos-style live microVM forking.

  • mcp-attachments stays a capability, not a Mitos-only command mode.
  • run-proof, run-artifacts, run-downloads, and url-bridge keep evidence
  • portable across delegated sandboxes and proof runners.

  • lifecycle filter values like cleanup, pause-resume, run-session,
  • workspace-state, and coordinator-governed expose stateful sandbox and devbox controls without baking in one provider's lifecycle API.

  • reachability filter values describe access planes without claiming a
  • provider-specific network isolation model.

  • remote-dev, mcp-sandbox, isolated-execution, and
  • versioned-workspace keep recommendations workflow-oriented.

  • fanout-testing and its best-of-n alias route operators to existing
  • fork-capable providers without adding a Mitos-only live-fork API.

  • checkpoint fork --count covers ordinary parallel attempts against archive
  • and native checkpoints while keeping live memory-forking as a future provider optimization, not a core CLI assumption.

Revisit Mitos only when there is a concrete use case that needs live microVM forking and the provider contract can be tested with offline unit coverage plus an opt-in live smoke. Until then, document it as an observed adjacent system.

#Support Matrix

SystemSupport stanceWhy
MitosObserve, do not support directly yet.Its main differentiator is live microVM forking. Crabbox needs generic fork/checkpoint semantics hardened before a Mitos adapter would be clean.
E2BSupported as e2b.Delegated sandbox execution maps cleanly to provider-owned sessions and URL bridge behavior.
Vercel SandboxSupported as vercel-sandbox.Ephemeral Linux sandbox execution fits delegated-run; keep adding evidence and artifact parity before more surface area.
ModalSupported as modal.Provider-owned container execution fits delegated runs, especially Python and ML-shaped workloads.
Cloudflare Sandbox SDKCandidate, not the same as current Cloudflare providers.The SDK can be a good delegated-run backend if the lifecycle, file, process, preview, and cleanup contract is stable enough.
Cloudflare Dynamic WorkersSupported as cloudflare-dynamic-workers.Worker/module execution is a separate target from Linux sandbox execution.
DaytonaSupported as daytona.Managed dev environment with SSH-shaped execution fits remote-dev routing.
Namespace DevboxSupported as namespace-devbox.SSH lease plus sync/cleanup behavior fits remote-dev routing.
CodeSandboxSupported as codesandbox.Delegated workspace execution and pause/resume fit remote-dev routing.
MorphSupported as morph.Managed SSH lease fits local-editor, remote-compute workflows.
OpenComputerSupported as opencomputer.Delegated Linux execution fits remote-dev and sandbox routing, but evidence parity should improve.
DevPodDo not support directly.It is already a provider-agnostic dev environment layer. Use the resulting SSH/container target through ssh, local-container, or external.
CoderSupported as coder.The built-in contract is intentionally narrow: local Coder CLI auth, Linux SSH proxy execution, stop-by-default release, delete only by opt-in, and cleanup only for locally claimed workspaces. Use ssh or external for existing workspaces that Crabbox should not manage.
Kubernetes Agent SandboxSupported as agent-sandbox.SandboxClaim-style delegated execution belongs behind the existing Kubernetes-native adapter.
OpenSandbox, Microsandbox, Moru-like runtimesCandidate only.Add only when one has a stable lifecycle and evidence contract that is meaningfully different from existing delegated sandboxes.

#Roadmap

Ship these in small PRs:

  1. Keep recommendation surfaces workflow-first.
  2. ci-proof, run-evidence, fast-feedback, isolated-execution, mcp-sandbox, remote-dev, team-cloud, and versioned-workspace should stay the public routing vocabulary.

  3. Improve evidence parity for delegated sandboxes.
  4. The biggest practical gap versus hosted sandbox products is not launch; it is consistent proof, artifacts, downloads, preview URLs, logs, and error status. Use crabbox providers recommend run-session when the workflow needs a reusable provider session handle for later inspection. Use crabbox providers recommend artifact-download when a workflow needs retained files or downloadable results from provider-owned execution. Use crabbox providers recommend failure-diagnostics when failed-run triage needs proof, reusable sessions, retained outputs, preview URLs, or SSH access to a synced checkout. Use crabbox providers recommend interactive-debug when triage needs a live inspection surface such as synced SSH, browser/code/desktop access, reusable sessions, provider URLs, or retained evidence after the debug session. Use crabbox providers recommend preview-url when the workflow specifically needs provider-native app or service URLs. Use crabbox providers --reachability provider-url or crabbox providers recommend reachability --reachability tailnet-peer when the operator needs an explicit access plane. Use crabbox providers recommend network-isolation when the workflow runs untrusted code and network exposure should stay inside a delegated or local sandbox boundary. Use crabbox providers recommend resource-observability when the workflow needs coordinator usage/cost visibility, SSH resource telemetry, retained run evidence, reusable sessions, or preview URLs for later inspection. Use crabbox providers recommend code-interpreter when generated-code or script execution should prefer delegated or local sandboxes with sessions, archive sync, retained outputs, preview URLs, MCP attachments, or module execution. Use crabbox providers recommend disposable-execution when temporary workloads should prefer cleanup-capable delegated or local sandboxes before retaining only the proof, outputs, session, or preview metadata needed for inspection. Use crabbox providers recommend web-app-smoke when app or service smoke tests need provider-native URLs, SSH tunnels, tailnet reachability, browser/code/desktop access, sessions, or retained outputs.

  5. Add live smoke docs where credentials are required.
  6. Provider adapters can be valuable before broad live access exists, but each one needs an opt-in smoke contract that says what real behavior proves. See Provider live smoke for the shared contract. Use crabbox providers recommend live-smoke to pick candidates from offline lifecycle, sync, cleanup, and evidence metadata before spending capacity. Use crabbox providers recommend cost-control when a workflow should prefer local runtimes, coordinator governance, cleanup, cache reuse, or retained proof before spending provider quota. Use crabbox providers recommend offline-validation when live provider credentials or quota are not available yet; it prefers local runtimes, local sandboxes/VMs, BYO SSH hosts, and external-provider contracts over cloud API-backed leases. Use crabbox providers recommend pause-resume when long-running sandbox or dev-environment state needs to be parked and resumed. Use crabbox providers recommend warm-start when repeated runs should prefer local runtimes, reusable caches, retained sessions, pause/resume, or workspace-state signals before paying remote cold-start cost.

  7. Strengthen workspace reuse before runtime-specific forking.
  8. Checkpoint, fork, restore, and provider snapshot semantics should be testable through the CLI before adding live microVM fan-out. Use crabbox providers recommend workspace-reuse as the workflow entry point when the operator cares about reusable state more than a specific fork API. Use crabbox providers recommend fanout-testing when the workflow needs parallel branch or best-of-N experimentation from forkable state.

  9. Keep edge/worker execution separate from Linux sandboxes.
  10. A Worker module runtime is not the same thing as a Linux shell. Make the target and feature names say that clearly.

#Add-Provider Bar

Add a first-class provider when the PR can prove:

  • stable lifecycle: create, inspect, run or attach, release, cleanup;
  • honest ProviderSpec.Kind, category, targets, and feature flags;
  • documented auth from env/config, never command-line secrets;
  • offline tests for parsing, command construction, status/list rendering, and
  • provider errors;

  • opt-in live smoke when credentials or quota are required;
  • docs that explain when to use the provider and when to choose an existing
  • workflow instead.

If the bar is not met, use ssh or external and document the manual contract.