Safely execute AI-generated Ruby code or user-submitted scripts inside an application without giving them filesystem or network access.
Run user-defined formulas or plugins in a sandbox with enforced time and memory limits.
Expose a controlled set of host functions, called Services, that sandboxed scripts can call by name.
| elct9620/kobako | 100rabhg/masterdetailapp | 100rabhg/pizzafactroy | |
|---|---|---|---|
| Stars | 0 | — | — |
| Language | Ruby | Ruby | Ruby |
| Last pushed | — | 2024-02-20 | 2025-01-26 |
| Maintenance | — | Dormant | Stale |
| Setup difficulty | moderate | moderate | moderate |
| Complexity | 4/5 | 2/5 | 3/5 |
| Audience | developer | developer | pm founder |
Figures from each repo's GitHub metadata at analysis time.
Requires Ruby 3.3 or newer plus Rust and Cargo at install time to compile the native extension, Windows is not supported.
Kobako is a Ruby gem, a packaged library, that lets you run untrusted Ruby scripts safely inside your existing application. The problem it solves is this: if you want to allow AI-generated code, user-written formulas, student homework, or third-party plugins to execute, giving that code direct access to your application is dangerous, since it could read files, open network connections, or access credentials. Kobako creates an isolated sandbox using WebAssembly, or Wasm, so untrusted scripts execute in-process but cannot touch your host memory, files, network, or environment variables. The sandbox works through a host and guest model. Your application is the host, running an engine called wasmtime that executes a precompiled Wasm binary containing an embedded mruby interpreter, a lightweight version of Ruby designed for embedding. Untrusted scripts run inside the mruby guest. The only way a guest script can reach anything outside the sandbox is through Services you explicitly declare, meaning named Ruby objects bound by name, such as a database lookup or a logging function. The guest calls these by name over a message-passing channel and receives only the return value, so it cannot inspect the host object itself. Every execution enforces configurable time and memory limits, raising specific error types when a cap is exceeded, and a third error type covers faults in the script itself. Stdout and stderr from guest scripts are captured into separate buffers after each run. The gem ships with a precompiled Wasm binary, so end users only need Ruby 3.3 or newer, while Rust and Cargo are required at install time to compile the native extension. Linux and macOS are supported, Windows is not.
A Ruby gem that runs untrusted Ruby scripts safely in a WebAssembly sandbox, letting apps execute AI-generated code or user formulas without touching host files, network, or memory.
Mainly Ruby. The stack also includes Ruby, WebAssembly, wasmtime.
No license file is mentioned in the README, so reuse terms are unclear.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.