Sandboxing & Execution Isolation

Module 5 · Master Course

90 min · The blast radius problem · Where security engineering meets harness engineering

The blast radius problem

Any harness that runs shell, writes files, or calls APIs has a blast radius. The core decision: where does the loop live, and what can a compromised agent reach?

By the end: the inside-vs-outside split, the provider landscape, filesystem/network scoping, and the credential boundary that decides everything.

5.1 The Fundamental Split

Inside vs outside (Luzzardi)

Inside-sandbox (Claude Code)
Loop + tools + memory + credentials all in one container.

Gain: simple, no API hop.
Cost: credentials reachable; no idle suspend.
Outside-sandbox (Agents SDK)
Loop on backend; sandbox via API for tool exec.

Gain: credentials stay on backend; idle suspend; multi-tenant.
Cost: API-hop latency; state-sync complexity.

The credential question decides

The deciding factor is almost always credentials. Multi-tenant → credentials cannot live in the sandbox. An agent that can read its own env vars can exfiltrate them.

Same governance-beneath-the-agent principle (Module 0.2 / NemoClaw), applied at the sandbox layer. Not aesthetic — forced by the multi-tenant requirement.

5.2 Sandbox Providers

The provider landscape

ProviderIsolationCold startBest for
Local bashNoneinstantdev only
DockerContainersecondsmost production
E2BmicroVMfastephemeral exec
Modalcloud containermediumstateful, long tasks
Daytonadev envmediumfull workspace isolation
Edge (CF/Vercel)edgevery fastlow-latency, limited

Agents SDK: 7 providers behind a uniform abstraction — deployment-time choice, not design-time constraint.

5.3 Filesystem & Network Scoping

Three independent gates

Read scope: workspace + allowlist. Never ~/.ssh, ~/.aws, system paths.
Write scope: workspace only. Never secrets paths.
Network egress: allowlist. Allow-all = exfiltration surface. Deny-all = max safety, limited tools.

Defense in depth: even if the agent reads a secret (read-scope misconfigured), allowlist egress blocks the exfiltration. Gates are independent.

The credential boundary

Credentials never enter the sandbox. The agent process has NO credentials in its environment. When an authenticated action is needed, the BACKEND performs it (with the credential) and returns the result.

The agent literally cannot exfiltrate what it cannot read. Module 0.2's governance principle at the sandbox layer.

5.4 Lifecycle Management

Cold start, idle, crash

StateWhat happens
Cold startsandbox init → first tool call (latency). Mitigate: warm pools
Idle suspendoutside-sandbox only; saves cost when waiting for human
Crashretry + checkpoint restore (Module 8), or fatal
Resource capsCPU/mem/wall-clock limits; prevents resource-exhaustion attack (ASI #9)

Four anti-patterns

Unsandboxed production. bash with full host access. Blast radius = entire host. Cure: Docker minimum.
Credentials in sandbox env. Escaped process exfiltrates. Cure: outside-sandbox; backend holds creds.
Allow-all egress. Exfiltration surface. Cure: allowlist.
No lifecycle mgmt. Cost grows unbounded. Cure: idle timeout + caps.

Outside-sandbox as an n8n workflow

Per the visual stack: the credential + egress gates as nodes.

Loop (backend) → Model Call → command requested
   │
   ▼
Credential Check ─── needs auth? → Backend resolves (cred stays here)
   │
   ▼
Egress Check ─── URL on allowlist?
   ├─ yes → Sandbox: Execute (isolated container, no creds in env)
   └─ no  → Blocked (exfiltration prevented)
   │
   ▼
Return result to loop

Two independent security gates as nodes. Credential boundary + egress boundary. The production pattern behind the Agents SDK.

Takeaways

  • Inside vs outside — the credential question decides. Multi-tenant → outside.
  • Six providers — Docker default; E2B for latency; Agents SDK abstracts them.
  • Three gates — read scope, write scope, egress allowlist. Independent; defense in depth.
  • Credential boundary — creds never enter sandbox; backend resolves authenticated actions.
  • Lifecycle — cold start, idle suspend, crash recovery, resource caps.

Next: Module 6 — Permission, Approval & Safety Architecture.