This is why kernel-level sandboxing matters. I use a sandbox name greywall that enforce filesystem/network isolation at the syscall level (Landlock + Seccomp + eBPF on linux, sandbox-exec on mac).
I do disagree about unix system were designed for this kind of stuff. Unix was not designed for an agent to act like you and take decision for you...
I think it depends on your philosophical approach to agency or personas. Unix groups allowed individuals to share directories with various levels of access. The assumption was those were people. Agents are philosophically people in so far as they exercise agency. They can do things via the file system. They are just non organic agents. The basic Unix permission system can still work with them.
The entire Von Neumann architecture is not suitable for agents.
Putting data and instructions in the same memory was always a bad idea - LLMs just took this to the extreme by making data and instructions the same thing.
Author here. I didn't set out to build this. Started with Cubbi as a opinionated Docker-based wrapper for CLI agents, but the network restrictions and not having my own tooling kept fighting. Then found Fence which was already doing the hard kernel work really well. What pushed me to go further was network control: tools that ignore HTTP_PROXY env vars bypass proxy-based filtering entirely. The transparent TUN approach captures everything regardless (but not yet on macos).
The dashboard is just the start. The real goal is full conversation observability including tool calls, a semantic firewall that understands what the agent is actually trying to do rather than just which domain it's hitting, and credential replacement on the fly before anything leaves the machine. The hard part is that sitting as a transparent proxy makes this significantly more complex, and I don't want to touch any agent internals or require integrating a third party SDK.
Happy to answer questions and curious how others are thinking about the visibility vs isolation tradeoff.
I wrote a podcast generator based on AI related papers that ingest the podcast dialogues, voices, tag, assemble audio et publish RSS automatically. I was inspired by the PDF ingestion of OpenAI and the quality of the TTS.
SEEKING WORK | France (UTC-1) | Remote | Full stack developer
My name is Mathieu Virbel, and I am a consultant on system and software architecture with over 12 years of experience as a consultant and 20 years into programming. I have a passion for creating innovative and user-friendly applications. I specialize in using the open-source Kivy framework to develop desktop and mobile applications, but I am also skilled in other technologies and frameworks.
I worked on a variety of subjects, from Interactives and mobile application for Museum and Public Institutions, Embedded system in security company, telecommunication, and Startups environments from scratch. Recently playing with Python, Golang, VueJS 3/Typescript, InfluxDB, Docker Swarm, as well as writing specifications and reviewing code of others contractors.
SEEKING WORK | France (UTC-1) | Remote | Full stack developer
My name is Mathieu Virbel, and I am a consultant on system and software architecture with over 12 years of experience as a freelance and 20 years in the field. I have a passion for creating innovative and user-friendly applications. I specialize in using the open-source Kivy framework to develop desktop and mobile applications, but I am also skilled in other technologies and frameworks.
I worked on a variety of subjects, from Interactives and mobile application for Museum and Public Institutions, Embedded system in security company, telecommunication, and Startups environments from scratch. Recently playing with Python, Golang, VueJS 3/Typescript, InfluxDB, Docker Swarm, as well as writing specifications and reviewing code of others contractors.
My name is Mathieu Virbel, and I am a consultant on system and software architecture with over 12 years of experience as a freelance and 20 years in the field. I have a passion for creating innovative and user-friendly applications. I specialize in using the open-source Kivy framework to develop desktop and mobile applications, but I am also skilled in other technologies and frameworks.
I worked on a variety of subjects, from Interactives and mobile application for Museum and Public Institutions, Embedded system in security company, telecommunication, and Startups environments from scratch. Recently playing with Python, Golang, VueJS 3/Typescript, InfluxDB, Docker Swarm, as well as writing specifications and reviewing code of others contractors.
Shameless plug here. I'm working for https://cozyair.fr - keeping a good indoor air quality is good for both the user but also the the building.
CO2 is not the only factor you should look at, PM are also dangerous when you cook, or when there is outside pollution. NO2/O3 is an outdoor air pollution that we watch. Because the only way to get out the CO2 is ventilation / open your windows for a few minutes. But it can bring another kind of pollution depending your area.
I do disagree about unix system were designed for this kind of stuff. Unix was not designed for an agent to act like you and take decision for you...
reply