One sandbox per project
Sandboxes are project-scoped. Opening a project either reconnects to its existing sandbox or provisions a fresh one. The lifecycle looks like this:- Create: a sandbox is provisioned when the project needs one.
- Execute: the agent writes files, installs dependencies, and runs build commands.
- Preview: a live URL is returned and embedded in the workspace, with an option to open it in a new tab.
- Teardown: after a period of inactivity, the sandbox is cleaned up. Your code is safe; it lives in the project’s Git repository, not only in the sandbox.
Cold boots
When you return to a project whose sandbox has been torn down, ProductOS restores it: it pulls your code back in, reinstalls anything missing, and restarts the dev server. A boot loader shows progress while this happens. A few things keep cold boots short:- Prewarming: after your code is pulled in, the home route is compiled ahead of time, so you do not pay a cold compile on your first navigation.
- Volume-backed templates: curated templates that ship with a prepared volume boot in about 3 seconds instead of roughly 25 seconds for the standard import path. See Templates.
- A hard ceiling on the loader: if the preview cannot be restored within the time limit (150 seconds by default), you get an actionable error with options to try again or start a build, instead of an indefinite spinner.
The preview loader is dismissed when the app actually responds, not on a fixed timer. If you see the loader for a while on a large project, the sandbox is still compiling; it will hand off as soon as the app serves a real page.
Resources by plan
Sandbox memory is sized by your plan, so heavier builds get more headroom:
Credit consumption is tracked per sandbox session and per AI call; you can review it on your usage page. See Plans and credits.
Security notes
- Sandboxes are isolated from each other and from ProductOS infrastructure.
- Platform credentials never enter your sandbox. For example, when a template is cloned for you, the download happens server-side and only the extracted files reach the sandbox.
- Your project’s canonical code lives in Git, so a torn-down sandbox never means lost work.