The Actual Solution: OS-Level Sandboxing

The Architecture & Access Matrix

The Protocol & The Infinite Loop Breaker

Why This Beats Docker for Local Sandboxing

Current Status & Repo I was building a standard multi-agent coding loop (Developer, Tester, Reviewer), and I hit a fundamental flaw every major framework (AutoGen, CrewAI, LangGraph) ignores: The Tester agent can read the implementation. When a Tester reads the source code, it isn't testing if the code meets the spec; it’s just rubber-stamping the existing logic. The industry's answer to this is either: I didn't need network isolation or ephemeral filesystems. I just needed one agent to be physically unable to read another agent's files. What is the simplest mechanism that makes misbehavior physically impossible? The answer was sitting in the terminal: useradd --system --no-create-home --shell /usr/sbin/nologin warden-agent

chmod 000 tests/ Linux file permissions exist precisely to enforce boundaries. Why spin up Docker when chmod does the exact same job natively with zero overhead? Three agents. Three access profiles. Enforced by the kernel. But here is the optimization: You don't even need three separate Linux users. Because the agents are invoked sequentially via the Gemini CLI, I only use ONE dedicated unprivileged user (warden-agent). My orchestrator script simply flips the directory permissions immediately before handing over control to the respective agent. All generated commands execute under this single daemon user with no password/sudo access (sudo -u warden-agent bash -c "<cmd>"). Privilege escalation attempts crash instantly. Agents never talk directly via APIs or message queues. The text files ARE the protocol. The Reviewer's Kill Switch (WIP):

LLMs are notorious for getting stuck in infinite loops, applying the same wrong fix repeatedly. To solve this, the Reviewer acts as a circuit breaker. If the tests fail and the Reviewer notices the exact same bug is already documented in REVIEW.md, it hard-stops the orchestration and writes: "Found same error again". If it's a new error, it appends to REVIEW.md for the Developer to fix. If it passes, the task is marked done in TASKS.md. Zero human intervention in the normal path. Docker isolates the agent system from the host machine. My approach isolates agents from each other on the same host, same filesystem, with zero container overhead. When your threat model is just AI cheating or running bad shell commands, you don't need a network namespace. You need one restricted Linux user and some permission bits. (Side note: I ran a prior art search across GitHub, ArXiv, and major frameworks. No prior art found for using native OS DAC applied to inter-agent trust boundaries in a coding loop prior to 2025). The tool is working via a single Python script (run.py) that acts as the orchestrator, wrapping the Gemini CLI for sequential execution. You can configure different models (Gemini, Claude, OpenAI) for different roles. If you want to see this in action, the repo is live. It currently features a test implementation building a To-Do list application, completely orchestrated and tested by the AI sandbox. Full disclosure: I have never actually used AutoGen, CrewAI, LangGraph, or any of those agent frameworks. I haven't even read their architecture docs. And I have never used Docker in my life. I just looked at the fundamental problem of how to stop AI agents from cheating or reading each other's files, and realized the Linux kernel already solved this in the 1970s. 🔗 GitHub Repo: hrutavmodha/ai-sandboxer Stars, thoughts, and brutal feedback are all welcome. Right now, this is just a standalone script in a repo. Do you think an OS-native sandboxing orchestrator like this is worth polishing and publishing as a proper package on PyPI or npm? Let me know your thoughts. Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to ? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse