Ask HN: Why are so many rolling out their own AI/LLM agent sandboxing solution?
Seeing a lot of people running coding agents (Claude Code, etc.) in custom sandboxes Docker/VMs, firejail/bubblewrap, scripts that gate file or network access.
Curious to know what's missing that makes people DIY this? And what would a "good enough" standard look like?
10 comments
[ 2.8 ms ] story [ 32.6 ms ] threadThe question is how easy is it to bypass these DIY 'sandboxes'?
As long as there is a full OS running, you are one libc function away from a sandbox escape.
Once started down this path, I knew I was going to need something for isolated exec envs. I ended up building something I think is quite awesome on Dagger. Let's me run in containers without running containers, can get a diff or rewind history, can persist and share wvia any OCI registry.
So on one hand, I needed something and chose a technology that would offer me interesting possibilities, and on the other I wanted to have features I don't expect the likes of Microsoft to deliver with Copilot, only one of which is my sandbox setup.
I'm not sure I would call it rolling my own completely, I'm building on established technology (OCI, OCR)
I don't expect a standard to arise, OCI is already widely adopted and makes sense, but there are other popular techs and there will be a ton of reimplementations by another name/claim. The other half of this is that AI providers are likely to want to run and charge money for this, I personally expect more attempts at vendor lock in in this space. In example, Anthropic bought Bun and I anticipate some product to come of this, isolation and/or canvas related
It simply feels as if there is no de facto standard yet (there surely will be).
I'm building on OCI (via Dagger), so you are in good company, if I may say so
This exists today in OSes in form of discretionary/mandatory permissions (e.g., SELinux, AppArmor, LandLocked).
If you cut network and files for Claude, for example, how is it even going to do the useful work?
For files it has an isolated file system. That can have a git clone.
In practice, agents don’t fail only because the model is wrong. They fail because the environment is flaky: missing deps, slow setup, weird state, unclear feedback loops. If you give an agent an isolated, secure environment that’s already set up for the repo, you remove a ton of friction and iterations become much more reliable.
The other piece is “authority” / standards. You can write guidelines, but what keeps agents (and humans) aligned is the feedback: tests, linters, CI rules, repo checks. Centralizing those standards and giving the agent a clean place to run them makes compliance much more deterministic.
We built this internally for our own agent workflows and we’re debating whether it’s worth offering the sandbox part as a standalone service (https://envs.umans.ai), because it feels like the part everyone ends up rebuilding.
I built a local runtime supervisor (Vallignus) specifically to catch these non-converging loops. It wraps the agent process to enforce egress filtering (blocking those random pip installs) and hard execution limits so they don't burn $10 retrying a fail state.
It's effectively a "process firewall" for the agentic workflow. Open source if you want to see the implementation: https://github.com/jacobgadek/vallignus