Go hard on agents, not on your filesystem
mazieres
196 points
110 comments
March 28, 2026
Related Discussions
Found 5 related stories in 43.6ms across 3,471 title embeddings via pgvector HNSW
- Unix Isn't for Agents handfuloflight · 18 pts · March 05, 2026 · 60% similar
- Launch HN: Terminal Use (YC W26) – Vercel for filesystem-based agents filipbalucha · 98 pts · March 09, 2026 · 56% similar
- Files are the interface humans and agents interact with malgamves · 197 pts · March 07, 2026 · 54% similar
- Agent Safehouse – macOS-native sandboxing for local agents atombender · 479 pts · March 08, 2026 · 52% similar
- New Research Reassesses the Value of Agents.md Files for AI Coding noemit · 19 pts · March 08, 2026 · 51% similar
Discussion Highlights (19 comments)
mazieres
What would it take for people to stop recklessly running unconstrained AI agents on machines they actually care about? A Stanford researcher thinks the answer is a new lightweight Linux container system that you don't have to configure or think about.
BoppreH
Excellent project, unfortunate title. I almost didn't click on it. I like the tradeoff offered: full access to the current directory, read-only access to the rest, copy-on-write for the home directory. With stricter modes to (presumably) protect against data exfiltration too. It really feels like it should be the default for agent systems.
triilman
What would Jonathan Blow think about this.
messh
How is this different than say bubblewrap and others?
adi_kurian
Claude's stock unprompted / uninspired UI code creates carbon clone components. That "jai is not a promise of perfect safety" callout box is like the em dash of FE code. The contrast, or lack thereof, makes some of the text particularly invisible. I wonder if shitty looking websites and unambitious grammar will become how we prove we are human soon.
AnotherGoodName
Add this to .claude/settings.json: { "sandbox": { "enabled": true, "filesystem": { "allowRead": ["."], "denyRead": ["~/"], "allowWrite": ["."], "denyWrite": ["/"] } } } You can change the read part if you're ok with it reading outside. This feature was only added 10 days ago fwiw but it's great and pretty much this.
simonw
Suggestion for the FAQ page: does this work on a Mac?
gerdesj
Oh dear Lord! (pick your $DEITY) Backups.
cozzyd
Should be named Jia More seriously, I'm not a heavy agent user, but I just create a user account for the agent with none of my own files or ssh keys or anything like that. Hopefully that's safe enough? I guess the risk is that it figures out a local privilege escalation exploit...
mbreese
This still is running in an isolated container, right? Ignoring the confidentiality arguments posed here, I can’t help to think about snapshotting filesystems in this context. Wouldn’t something like ZFS be an obvious solution to an agent deleting or wildly changing files? That wouldn’t protect against all issue the authors are trying to address, but it seems like an easy safeguard against some of the problems people face with agents.
gurachek
The examples in the article are all big scary wipes, But I think the more common damage is way smaller and harder to notice. I've been using claude code daily for months and the worst thing that happened wasnt a wipe(yet). It needed to save an svg file so it created a /public/blog/ folder. Which meant Apache started serving that real directory instead of routing /blog. My blog just 404'd and I spent like an hour debugging before I figured it out. Nothing got deleted and it's not a permission problem, the agent just put a file in a place that made sense to it. jai would help with the rm -rf cases for sure but this kind of thing is harder to catch because its not a permissions problem, the agent just doesn't know what a web server is.
cozzyd
Should definitely block .ssh reading too...
justinde
.claude/settings.json: { "sandbox": { "enabled": true, "filesystem": { "allowRead": ["."], "denyRead": ["~/"], "allowWrite": ["."] } } } Use it! :) https://code.claude.com/docs/en/sandboxing
charcircuit
I want agents to modify the file system. I want them to be able to manage my computer if it thinks it's a good idea. If a build fails due to running out of disk space I want it to be able to find appropriate stuff to delete to free up space.
gonzalohm
Not sure I understand the problem. Are people just letting AI do anything? I use Claude Code and it asks for permission to run commands, edit files, etc. No need for sandbox
kristofferR
Also recommended: https://github.com/kenryu42/claude-code-safety-net
Jach
I've done some experimenting with running a local model with ollama and claude code connecting to it and having both in a firejail: https://firejail.wordpress.com/ What they get access to is very limited, and mostly whitelisted.
e1g
For jailing local agents on a Mac, I made Agent Safehouse - it works for any agent and has many sane default for developers https://agent-safehouse.dev
ray_v
I'm wondering if the obvious (and stated) fact that the site was vibe-coded - detracts from the fact that this tool was hand written. > jai itself was hand implemented by a Stanford computer science professor with decades of C++ and Unix/linux experience. ( https://jai.scs.stanford.edu/faq.html#was-jai-written-by-an-... )