Remix.run Logo
LuD1161 4 days ago

With agentjail ( https://github.com/LuD1161/agentjail ), I've tried to contain coding agents in os-native sandboxes (sbpl for macos and similarly for linux, <4ms start time) + policy guardrails evaluated by Open Policy Agent (OPA), policies written in rego.

Protocol aware network proxy coming soon Then you can match a DSL and block particular network requests.

This ensures you no longer fear --dangerously-skip-permissions and stop babysitting agents

What else would you want to see in this project? Please star the repo, if you like the idea :)

janalsncm 4 days ago | parent | next [-]

It seems like your approach depends on figuring out what the command is doing, classifying it into three tiers (deny/ask/approve) and then letting the agent run its command depending on that classification. Is that right?

LuD1161 4 days ago | parent [-]

Hey thanks for the question. I would like to answer it in a more descriptive manner with an example later.

Classifying a command can be a bit of a misnomer because it has two inherent problems:

1. You need a classifier. That means the security boundary becomes “can I trick or bypass the classifier?” Whether it is a smaller model or a pile of regexes, it will eventually have edge cases.

2. The token economics do not work, and it also needs to be fast. I do not want an eval evaluating another eval for every command.

So the approach I took is closer to how we normally build security systems: secure defaults and deterministic boundaries.

For example, to protect secrets, AgentJail can block access to paths like `~/.ssh`, `~/.aws/credentials`, `.env`, etc. at the OS level.

The OS is the deterministic boundary here. The ring-0 enforcement layer.

The more interesting problem is network access. You may genuinely want the agent to debug a production Kubernetes cluster, inspect an AWS resource, or query a production database. A blanket network deny would make the agent useless.

For that, I am taking a protocol-aware DSL approach. Something like:

``` deny if { request.host == "api.github.com" request.method == "POST" startswith(request.path, "/repos/") endswith(request.path, "/git/refs") }

ask if { request.host == "kubernetes.default.svc" request.method == "DELETE" }

allow if { request.host == "api.github.com" request.method == "GET" } ```

So instead of trying to classify whether a command is “dangerous,” the policy describes exactly which resources and operations are allowed, denied, or require approval.

The agent can still be probabilistic. The enforcement boundary should not be.

Does that answer to your question?

yencabulator 4 days ago | parent | prev | next [-]

> What else would you want to see in this project?

Absence of spamming mentions of it everywhere.

LuD1161 4 days ago | parent [-]

You mean, I should stop posting much about it ? Is it too aggressive posting Am sorry about that.

pshirshov 4 days ago | parent | prev [-]

[flagged]