would be interested in reading your outlook on the execution model, isolation, guardrails, tool calling. those are some of the baseline things i evaluate before try before trying an agentic env
Isolation is a smart idea for these things, as you literally can't verify their behavior beyond "it's kinda doing the thing most of the time". My chat app just kinda settles for "you can require permissions and audit", which it's a fool proof bullet, when the AI can churn out more code than a human can read in a reasonable amount of time.
might be good to get your hands around this early.
reading up on how crush, goose, and opencode handle this may be a good idea.
i've been trying to build a web native terminal assistant for a while (just a side project) and this is easily the thing that keeps me up at night.
### Primary Sources:
- *Anthropic Engineering Blog: "Making Claude Code more secure and autonomous with sandboxing"*
Detailed article on Claude Code's sandboxing features, including OS-level primitives (e.g., Linux Bubblewrap, macOS Seatbelt) for filesystem and network isolation.
[Read here](https://www.anthropic.com/engineering/claude-code-sandboxing) (Published Oct 20, 2025).
- *Claude Code Documentation: Sandboxing*
Official docs covering setup, configuration, security benefits (e.g., prompt injection protection), and limitations of filesystem/network isolation in Claude Code.
[Read here](https://code.claude.com/docs/en/sandboxing).
- *Claude Blog: "Beyond permission prompts: making Claude Code more secure and autonomous"*
Overview of sandboxing in Claude Code, emphasizing boundaries for safer agent execution.
[Read here](https://claude.com/blog/beyond-permission-prompts-making-cla...) (Published Oct 31, 2025).
### Additional Resources:
For broader context on sandboxing agentic AI:
- *arXiv Paper: "Securing AI Agent Execution"*
Research on isolation techniques for AI agents, including risk assessment.
[Read here](https://arxiv.org/abs/2510.21236) (Published Oct 24, 2025).
- *HopX Documentation*
Practical guide to sandboxing for AI agents (e.g., using Firecracker micro-VMs).
[Read here](https://hopx.ai/) (Open-source SDK available at [GitHub](https://github.com/hopx-ai/sdk)).
### Cursor
Cursor uses local-first editing with optional sandboxing via Docker containers for isolated execution (no default vendor-owned sandboxes). It respects user-defined rules without overriding them.
### OpenAI Codex
Codex primarily relies on API-based execution with optional user-managed sandboxes (e.g., via Firecracker or custom proxies). It emphasizes provider retention policies but lacks built-in native sandboxing like Claude Code.
- *Render Blog: Testing AI Coding Agents (2025)*
Benchmarks Codex's handling of isolation in production tasks, including Docker-based sandboxes.
[Read here](https://render.com/blog/ai-coding-agents-benchmark) (Published Aug 12, 2025).
### Goose AI (Codename Goose)
Goose uses container-based isolation via tools like Container Use (built on Dagger) for git-branch-isolated environments, emphasizing safe experimentation without affecting the host.
- *GitHub Discussion: Goose vs Claude Code*
Community analysis comparing Goose's local isolation to Claude Code's cloud sandboxes.
[Read here](https://github.com/block/goose/discussions/3133) (Ongoing, started Jun 27, 2025).
SamInTheShell|3 months ago
mutant|3 months ago
reading up on how crush, goose, and opencode handle this may be a good idea.
i've been trying to build a web native terminal assistant for a while (just a side project) and this is easily the thing that keeps me up at night.
### Primary Sources: - *Anthropic Engineering Blog: "Making Claude Code more secure and autonomous with sandboxing"* Detailed article on Claude Code's sandboxing features, including OS-level primitives (e.g., Linux Bubblewrap, macOS Seatbelt) for filesystem and network isolation. [Read here](https://www.anthropic.com/engineering/claude-code-sandboxing) (Published Oct 20, 2025).
- *Claude Code Documentation: Sandboxing* Official docs covering setup, configuration, security benefits (e.g., prompt injection protection), and limitations of filesystem/network isolation in Claude Code. [Read here](https://code.claude.com/docs/en/sandboxing).
- *Claude Blog: "Beyond permission prompts: making Claude Code more secure and autonomous"* Overview of sandboxing in Claude Code, emphasizing boundaries for safer agent execution. [Read here](https://claude.com/blog/beyond-permission-prompts-making-cla...) (Published Oct 31, 2025).
### Additional Resources: For broader context on sandboxing agentic AI: - *arXiv Paper: "Securing AI Agent Execution"* Research on isolation techniques for AI agents, including risk assessment. [Read here](https://arxiv.org/abs/2510.21236) (Published Oct 24, 2025). - *HopX Documentation* Practical guide to sandboxing for AI agents (e.g., using Firecracker micro-VMs). [Read here](https://hopx.ai/) (Open-source SDK available at [GitHub](https://github.com/hopx-ai/sdk)).
### Cursor Cursor uses local-first editing with optional sandboxing via Docker containers for isolated execution (no default vendor-owned sandboxes). It respects user-defined rules without overriding them.
- *Skywork AI Blog: Security in Cursor 2.0* Details Cursor's sandboxing for code execution, network protection, and isolation. [Read here](https://skywork.ai/blog/vibecoding/cursor-2-0-security-priva...) (Published Nov 1, 2025).
- *Skywork AI Blog: Cursor 2.0 vs Claude Code SDK* Compares isolation techniques, noting Cursor's local sandboxes vs. Claude's cloud-based ones. [Read here](https://skywork.ai/blog/vibecoding/cursor-2-0-vs-claude-code...) (Published Nov 1, 2025).
### OpenAI Codex Codex primarily relies on API-based execution with optional user-managed sandboxes (e.g., via Firecracker or custom proxies). It emphasizes provider retention policies but lacks built-in native sandboxing like Claude Code.
- *Render Blog: Testing AI Coding Agents (2025)* Benchmarks Codex's handling of isolation in production tasks, including Docker-based sandboxes. [Read here](https://render.com/blog/ai-coding-agents-benchmark) (Published Aug 12, 2025).
- *Medium: Claude Code vs Cursor* Indirect comparison noting Codex's API retention and sandbox limitations vs. Cursor/Claude. [Read here](https://open-data-analytics.medium.com/claude-code-vs-cursor...) (Published Aug 6, 2025).
### Goose AI (Codename Goose) Goose uses container-based isolation via tools like Container Use (built on Dagger) for git-branch-isolated environments, emphasizing safe experimentation without affecting the host.
- *Goose Blog: Isolated Dev Environments* Explains Goose's container-use for sandboxes, including lifecycle management and rollback. [Read here](https://block.github.io/goose/blog/2025/06/19/isolated-devel...) (Published Jun 19, 2025).
- *GitHub Discussion: Goose vs Claude Code* Community analysis comparing Goose's local isolation to Claude Code's cloud sandboxes. [Read here](https://github.com/block/goose/discussions/3133) (Ongoing, started Jun 27, 2025).
- *Slashdot: Compare Claude vs. Goose* High-level comparison including deployment isolation. [Read here](https://slashdot.org/software/comparison/Claude-vs-codename-...).
also: check out the open-source sandbox runtime from Anthropic: [GitHub Repo](https://github.com/anthropic-experimental/sandbox-runtime).
clearly i have a bias on this topic, lol