Teaching Script — Module 5: Sandboxing & Execution Isolation

Module: 5 · Duration: ~90 min (presentation-pace + blast-radius lab)


[SLIDE 1] Module Five: Sandboxing and Execution Isolation. Ninety minutes. The blast radius problem — where security engineering meets harness engineering.

[SLIDE 2] Any harness that runs shell commands, writes files, or calls APIs has a blast radius. The core decision: where does the loop live, and what can a compromised agent reach? By the end you'll know the inside-versus-outside split, the provider landscape, the three scoping gates, and the credential boundary that decides everything.

[SLIDE 3 — 5.1] Sub-section 5.1: The Fundamental Architecture Split.

[SLIDE 4 — Inside vs outside] The Luzzardi framing. Inside-sandbox — Claude Code's model — loop, tools, memory, and credentials all in one container. Gain: simple execution, no API hop. Cost: credentials are reachable; no idle suspension; harder to multi-tenant. Outside-sandbox — the OpenAI Agents SDK model — loop runs on the backend, calls the sandbox over an API for tool execution. Gain: credentials stay on the backend, sandbox can suspend when idle, multi-tenant friendly. Cost: API-hop latency on every tool call, state-sync complexity.

[SLIDE 5 — Credential question] The deciding factor between inside and outside is almost always credentials. If you're running multi-tenant — multiple customers' agents in the same infrastructure — credentials cannot live in the sandbox. A sandboxed agent that can read its own environment variables can exfiltrate them. This is the same governance-beneath-the-agent principle from Module 0.2, applied at the sandbox layer. The decision is not aesthetic — it is forced by the multi-tenant requirement.

[SLIDE 6 — 5.2] Sub-section 5.2: Sandbox Providers.

[SLIDE 7 — Providers] Six providers. Local bash — no isolation, instant, dev only. Docker — container isolation, seconds to cold start, the production default. E2B — cloud microVM, purpose-built fast cold start, ephemeral execution. Modal — cloud container, stateful, medium cold start, good for long tasks. Daytona — full dev workspace isolation. Edge — Cloudflare or Vercel — very fast but limited capability. The Agents SDK's contribution: seven providers behind a uniform abstraction, making the provider a deployment-time choice, not a design-time constraint.

[SLIDE 8 — 5.3] Sub-section 5.3: Filesystem and Network Scoping.

[SLIDE 9 — Three gates] Three independent gates. Read scope — workspace plus an allowlist; never SSH keys, never AWS credentials, never system paths. Write scope — workspace only; never secrets paths. Network egress — allowlist; allow-all is an exfiltration surface; deny-all is maximum safety but limits tools. Defense in depth: even if the agent reads a secret because read scope is misconfigured, allowlist egress blocks the exfiltration. The gates are independent — each one is a separate defense.

[SLIDE 10 — Credential boundary] The credential boundary. Credentials never enter the sandbox. The agent process has no credentials in its environment. When an authenticated action is needed, the backend performs it with the credential and returns the result. The agent literally cannot exfiltrate what it cannot read. Module 0.2's governance principle, at the sandbox layer.

[SLIDE 11 — 5.4] Sub-section 5.4: Sandbox Lifecycle Management.

[SLIDE 12 — Cold start, idle, crash] Cold start adds latency before the first tool call. Mitigate with warm pools — pre-initialized sandboxes ready to receive work. Idle suspension saves cost when the agent is waiting for a human — outside-sandbox only; inside-sandbox cannot suspend because the loop and sandbox are one process. Crash triggers retry with checkpoint restore from Module 8, or a fatal exit. And resource caps — CPU, memory, wall-clock — prevent the resource-exhaustion attack, OWASP ASI number 9.

[SLIDE 13 — Anti-patterns] Four anti-patterns. The unsandboxed production harness — bash with full host access, blast radius is the entire host; cure is Docker minimum. Credentials in the sandbox env — escaped process exfiltrates; cure is outside-sandbox with backend-held credentials. Allow-all egress — exfiltration surface; cure is allowlist. No lifecycle management — cost grows unboundedly; cure is idle timeout plus resource caps.

[SLIDE 14 — n8n workflow] Per the visual stack, here's the outside-sandbox pattern as a node graph. The loop runs in n8n — the backend. The model requests a command. Credential check: does this command need auth? If yes, the backend resolves it — the credential never enters the sandbox. Egress check: is the URL on the allowlist? If yes, execute in the sandbox node — an isolated container with no credentials in its env. If no, block — exfiltration prevented. Two independent security gates as nodes. This is the production pattern behind the Agents SDK.

[SLIDE 15 — Takeaways] Five things. Inside versus outside — the credential question decides; multi-tenant means outside. Six providers — Docker default, E2B for latency, Agents SDK abstracts them. Three gates — read, write, egress — independent, defense in depth. Credential boundary — credentials never enter the sandbox. Lifecycle — cold start, idle suspend, crash recovery, resource caps. Next: Module Six — Permission, Approval, and Safety Architecture.


End of Module 5 teaching script. ~1,700 scripted words; remaining time is the blast-radius lab (deploy inside vs outside; compare what the agent can reach).

# Teaching Script — Module 5: Sandboxing & Execution Isolation

**Module**: 5 · **Duration**: ~90 min (presentation-pace + blast-radius lab)

---

[SLIDE 1] Module Five: Sandboxing and Execution Isolation. Ninety minutes. The blast radius problem — where security engineering meets harness engineering.

[SLIDE 2] Any harness that runs shell commands, writes files, or calls APIs has a blast radius. The core decision: where does the loop live, and what can a compromised agent reach? By the end you'll know the inside-versus-outside split, the provider landscape, the three scoping gates, and the credential boundary that decides everything.

[SLIDE 3 — 5.1] Sub-section 5.1: The Fundamental Architecture Split.

[SLIDE 4 — Inside vs outside] The Luzzardi framing. Inside-sandbox — Claude Code's model — loop, tools, memory, and credentials all in one container. Gain: simple execution, no API hop. Cost: credentials are reachable; no idle suspension; harder to multi-tenant. Outside-sandbox — the OpenAI Agents SDK model — loop runs on the backend, calls the sandbox over an API for tool execution. Gain: credentials stay on the backend, sandbox can suspend when idle, multi-tenant friendly. Cost: API-hop latency on every tool call, state-sync complexity.

[SLIDE 5 — Credential question] The deciding factor between inside and outside is almost always credentials. If you're running multi-tenant — multiple customers' agents in the same infrastructure — credentials cannot live in the sandbox. A sandboxed agent that can read its own environment variables can exfiltrate them. This is the same governance-beneath-the-agent principle from Module 0.2, applied at the sandbox layer. The decision is not aesthetic — it is forced by the multi-tenant requirement.

[SLIDE 6 — 5.2] Sub-section 5.2: Sandbox Providers.

[SLIDE 7 — Providers] Six providers. Local bash — no isolation, instant, dev only. Docker — container isolation, seconds to cold start, the production default. E2B — cloud microVM, purpose-built fast cold start, ephemeral execution. Modal — cloud container, stateful, medium cold start, good for long tasks. Daytona — full dev workspace isolation. Edge — Cloudflare or Vercel — very fast but limited capability. The Agents SDK's contribution: seven providers behind a uniform abstraction, making the provider a deployment-time choice, not a design-time constraint.

[SLIDE 8 — 5.3] Sub-section 5.3: Filesystem and Network Scoping.

[SLIDE 9 — Three gates] Three independent gates. Read scope — workspace plus an allowlist; never SSH keys, never AWS credentials, never system paths. Write scope — workspace only; never secrets paths. Network egress — allowlist; allow-all is an exfiltration surface; deny-all is maximum safety but limits tools. Defense in depth: even if the agent reads a secret because read scope is misconfigured, allowlist egress blocks the exfiltration. The gates are independent — each one is a separate defense.

[SLIDE 10 — Credential boundary] The credential boundary. Credentials never enter the sandbox. The agent process has no credentials in its environment. When an authenticated action is needed, the backend performs it with the credential and returns the result. The agent literally cannot exfiltrate what it cannot read. Module 0.2's governance principle, at the sandbox layer.

[SLIDE 11 — 5.4] Sub-section 5.4: Sandbox Lifecycle Management.

[SLIDE 12 — Cold start, idle, crash] Cold start adds latency before the first tool call. Mitigate with warm pools — pre-initialized sandboxes ready to receive work. Idle suspension saves cost when the agent is waiting for a human — outside-sandbox only; inside-sandbox cannot suspend because the loop and sandbox are one process. Crash triggers retry with checkpoint restore from Module 8, or a fatal exit. And resource caps — CPU, memory, wall-clock — prevent the resource-exhaustion attack, OWASP ASI number 9.

[SLIDE 13 — Anti-patterns] Four anti-patterns. The unsandboxed production harness — bash with full host access, blast radius is the entire host; cure is Docker minimum. Credentials in the sandbox env — escaped process exfiltrates; cure is outside-sandbox with backend-held credentials. Allow-all egress — exfiltration surface; cure is allowlist. No lifecycle management — cost grows unboundedly; cure is idle timeout plus resource caps.

[SLIDE 14 — n8n workflow] Per the visual stack, here's the outside-sandbox pattern as a node graph. The loop runs in n8n — the backend. The model requests a command. Credential check: does this command need auth? If yes, the backend resolves it — the credential never enters the sandbox. Egress check: is the URL on the allowlist? If yes, execute in the sandbox node — an isolated container with no credentials in its env. If no, block — exfiltration prevented. Two independent security gates as nodes. This is the production pattern behind the Agents SDK.

[SLIDE 15 — Takeaways] Five things. Inside versus outside — the credential question decides; multi-tenant means outside. Six providers — Docker default, E2B for latency, Agents SDK abstracts them. Three gates — read, write, egress — independent, defense in depth. Credential boundary — credentials never enter the sandbox. Lifecycle — cold start, idle suspend, crash recovery, resource caps. Next: Module Six — Permission, Approval, and Safety Architecture.

---

*End of Module 5 teaching script. ~1,700 scripted words; remaining time is the blast-radius lab (deploy inside vs outside; compare what the agent can reach).*