---
id: "entity-sandcastle"
type: "entity"
entityType: "tool"
canonicalName: "Sandcastle"
source_timestamps: ["00:24:45", "00:29:59"]
tags: ["open-source", "tooling", "sandboxing", "typescript"]
related: ["concept-afk-agent-work", "framework-afk-agent-pipeline", "entity-matt-pocock", "action-use-sandcastle"]
canonicalUrl: "https://github.com/mattpocock/sandcastle"
---
# Sandcastle

## What it is

A TypeScript library created by [[entity-matt-pocock|Matt Pocock]] designed to **orchestrate AI coding agents inside isolated sandboxes**. Provider-agnostic with built-in support for Docker, Podman, and Vercel sandboxes.

## Why it exists

Without isolation, autonomous agents can:

- Delete local files outside the intended workspace.
- Exfiltrate environment variables and secrets.
- Corrupt the host git state.
- Run unbounded shell commands.

Sandcastle is the safety contract that makes [[concept-afk-agent-work|AFK]] agent work viable.

## Role in the pipeline

Sandcastle is the execution layer in [[framework-afk-agent-pipeline]]:

1. Orchestrator picks an issue from the queue.
2. **Sandcastle spins up an isolated environment.**
3. Agent runs inside that sandbox.
4. Agent commits, opens a PR via branch strategy, sandbox is torn down.
5. Optional secondary agent reviews via GitHub Actions.
6. Human merges.

## Adoption directive

[[action-use-sandcastle]].