Cordium launches as FOSS self-hosted sandbox platform with built-in ZTNA
Cordium is a free, open-source, self-hosted sandbox platform built on Kubernetes that offers identity-based, secretless infrastructure access as an alternative to GitHub Codespaces, E2B, and Daytona.
Score breakdown
Teams running AI agents or developer sandboxes that need secure, auditable access to internal infrastructure can replace credential injection with identity-based policy enforcement using Cordium's built-in ZTNA layer.
- 01Cordium is a FOSS, self-hosted, general-purpose sandbox platform built on Kubernetes and Octelium.
- 02It targets coding environments (VSCode, Zed), AI agent tasks, and CI/CD workloads as use cases.
- 03Key differentiator: identity-based, secretless access to infrastructure without injecting credentials into the sandbox.
Cordium is a FOSS, self-hosted sandbox platform built on Kubernetes and the author's primary project, Octelium. It supports a wide range of workloads — persistent and ephemeral, short- and long-lived — including developer coding environments with VSCode and Zed, AI agent tasks, and CI/CD pipelines such as building and publishing Docker images.
The platform's central differentiator from other dev environment and sandbox tools is its built-in Zero Trust Network Access (ZTNA).
The platform's central differentiator from other dev environment and sandbox tools is its built-in Zero Trust Network Access (ZTNA). Rather than injecting credentials such as API keys, SSH private keys, or database passwords into sandboxes, Cordium provides identity-based, secretless access to external resources. Upstream credentials are held by an identity-aware proxy on the Octelium-protected resource, outside the sandbox's reach. Permissions are enforced through L7-aware, pre-request access control using CEL/OPA policy-as-code, making Cordium effectively a general-purpose sandbox platform with a ZTNA/remote-access-VPN layer and unified identity management baked in.
The project is licensed under Apache 2.0 and is strictly intended for self-hosting, with no plans for a pro, SaaS, or commercial version. Although it was open-sourced only recently, development dates back to 2022 — an earlier version is visible at the `octelium/spaces` GitHub repository — and it is already in production use at several organizations running Octelium. The author describes it as not yet `v1.0`-ready but production-grade.
Key facts
- 01Cordium is a FOSS, self-hosted, general-purpose sandbox platform built on Kubernetes and Octelium.
- 02It targets coding environments (VSCode, Zed), AI agent tasks, and CI/CD workloads as use cases.
- 03Key differentiator: identity-based, secretless access to infrastructure without injecting credentials into the sandbox.
- 04Access control is enforced via L7-aware, pre-request CEL/OPA policy-as-code.
- 05Upstream credentials are held by an identity-aware proxy outside the sandbox's reach.
- 06Licensed under Apache 2.0; no plans for a pro, SaaS, or commercial version.
- 07Development began in 2022 and the platform is already in production use at several organizations.
Topics
Summary and scoring are generated automatically from the original article. We always link back to the publisher and never republish images or paywalled content. Last processed Jun 7, 2026 · 12:45 UTC. How this works →