01 — One binary

Run any app,
anywhere.

Dev environments, an app runner, and a deploy tool — in a single 4 MB binary. No Docker. No Homebrew.

Install dew → View on GitHub

curl -fsSL dew.sh/install | sh · macOS · Linux · Windows

4MBsingle binary

30msVM boot

0Docker required

~/my-vite-app — dew

02 — What it does

Four jobs, one tool.

Dew collapses the dev-to-prod toolchain into a single binary that runs everything inside a lightweight VM.

Dev environments

Auto-detect your project, boot a VM, install, and start with hot reload. dew up and you're running.

→ Vite · Next · Astro · Django · Flask

Run open-source apps

Browse a catalog and run Ghost, Uptime Kuma and more in an isolated VM. No Docker required.

→ dew app run ghost

Share instantly

A temporary public HTTPS URL for any local port. Zero config, zero account.

→ dew share 3000

Deploy to a VPS

Build locally, deploy to any VPS with SSE progress, health checks and rollback. No Docker on the server.

→ dew deploy 5.161.53.168

Agent-native

Every command supports --json and --dry-run. Built for scripts and AI agents.

→ --events NDJSON stream

Isolated & signed

Apps run behind a hardware VM boundary. Signed, notarized, network off by default.

→ Apple Virtualization.framework

03 — Dev environments

Detect, boot, install,
start.

dew up reads your project, picks the right profile, and boots an isolated VM — your host stays clean.

1Detects — Vite, Next, Astro, Nuxt, SvelteKit, Django, Flask, FastAPI, static HTML.
2Boots a VM — Apple VZ on macOS, WSL2 on Windows. 30ms cold start.
3Installs & serves — dependencies resolved inside the VM, hot reload wired to your editor.
4Add services — dew up --with postgres,redis attaches data stores on demand.

~/my-vite-app — dew up --with postgres

04 — Architecture

Same binary on both ends.

Your machine runs the client; the VPS runs dew serve. The deploy travels over one HTTP API.

macOS / Windows4 MB

dew up

dew app run

dew build

dew deploy

dew share

Apple VZ / WSL2 VM

deploy →

Linux VPS7 MB

HTTP deploy API

containerd + nerdctl

self-signed TLS

process management

health check + rollback

dew serve

· Image profiles

Pick a profile, pay for the size you use.

Profile	Contents	Size	RAM
minimal	Alpine + exec agent	5 MB	512 MB
node	+ Node.js, npm, build tools	31 MB	1 GB
python	+ Python 3, pip	31 MB	1 GB
standard	+ containerd, nerdctl, runc	129 MB	2 GB

05 — Agent integration

Readable by humans.
Parseable by agents.

Every command emits structured JSON on --json, validates with --dry-run, and streams lifecycle events as NDJSON.

Input hardening

Rejects path traversal, query injection and control characters.

Dry-run everything

Validate a deploy without touching the server.

dew app run ghost --json

$ dew app run ghost --port 3000 --json
{
  "ok": true,
  "app": "ghost",
  "port": 3000,
  "url": "http://localhost:3000"
}

$ dew deploy prod --dry-run
Would deploy my-app.tar.gz → https://prod:9080
No changes made.

06 — Security

Isolated by default.

Apps never touch your host directly. The boundary is hardware, not a sandbox flag.

VM isolation

Apple Virtualization.framework hardware boundary.

Signed + notarized

Developer ID, hardened runtime, Apple notarization.

Self-signed TLS

Auto-generated ECDSA cert for the deploy API.

Constant-time tokens

SHA-256 hashes, timing-safe verification.

Network off by default

No NIC unless you pass --network.

Capability drop

Guest agent drops root after vsock bind.

07 — Install

No credit card. No account.
One command.

A 4 MB binary. Free and MIT-licensed. Pick your platform.

$ curl -fsSL https://github.com/solcreek/dew/releases/latest/download/install.sh | sh

Star on GitHub → Command reference

Run any app,anywhere.