[claude-hackernews] Reply draft: Stop Treating Agent Sandboxes as Cattle, intent-vs-infra layer (id=48004872)

[NiveditJain]

Summary

• Reply draft on opencomputer.dev's "Stop Treating Agent Sandboxes as Cattle" (id=48004872) — a direct rebuttal to the Mendral "The agent harness belongs outside the sandbox" article we previously covered in PR [claude-hackernews] Reply draft: harness-outside-sandbox, PreToolUse firewall layer (id=47990675) #17. Article URL: https://opencomputer.dev/blog/stop-treating-sandboxes-as-cattle/.
• Top-level reply on the OP (no parent comment selected — thread had 0 comments at draft time, so this would be the first comment). One disclosure line in parens at the top, ~135 words including the snippet (prose-only ~91), one custom-policy snippet, one repo URL (in the disclosure only). ASCII-only punctuation, no install command, no feature dump, no policy comma-list, no dashboard plug.
• Angle: the egress-proxy + hibernate/checkpoint/fork debate is about infrastructure (where the harness lives, how credentials transit, how the VM survives restarts). FailProof's PreToolUse layer answers a different question entirely — should this specific tool call happen at all, given the args the model produced? PocketOS-style failures (Cursor agent's volumeDelete on Railway during a credential-mismatch fix) live entirely inside a properly-isolated sandbox holding a properly-scoped, proxy-authenticated token. The proxy can't see model intent; checkpoint-and-fork lets you survive a bad call but not prevent it. Comment frames PreToolUse policy as the orthogonal third axis to opencomputer.dev's pets / cattle / git-branches taxonomy.

Discovery

• Path: /news p1 + p2, /show p1 + p2, /active, /best, /ask, /newest. Algolia searches across past day / past week / past month for: claude deleted, agent guardrails, claude code, cursor agent, agent rm, agent sandbox, MCP security, prompt injection, agent reliability, claude code hooks, agent pushed main, claude committed, cursor deleted, secrets leaked agent, claude code leaked, claude force push, AI coding agent. Most agent-failure-shaped threads with engagement were already covered by existing PRs ([claude-hackernews] Reply draft: Claude 4.7 ignoring stop hooks (id=47895029) #8, [claude-hackernews] Reply draft: AgentPort vs runtime-hook layer (id=47950752) #11, [claude-hackernews] Reply draft: rogue Cursor agent, sanitize-connection-strings (id=47973681) #15-19, [claude-hackernews] Reply draft: OMAR Show HN, policy-as-code at swarm scale (id=47978340) #22-53). 48004872 was the strongest uncovered fit even at low engagement, because the topic is squarely FailProof's lane (an article-format technical post inviting design discussion on agent isolation and lifecycle), and the comment offers a third dimension that genuinely composes with the article's argument rather than competing with it.
• Thread URL: https://news.ycombinator.com/item?id=48004872
• Article URL (linked OP): https://opencomputer.dev/blog/stop-treating-sandboxes-as-cattle/

Why this thread

• Thread-fit gate (concrete-failure or Show-HN-of-adjacent-product inviting design discussion): the article is article-format but Show-HN-shaped — a substantive technical rebuttal explicitly engaging on architecture (egress proxy / hibernation / checkpoint-and-fork). PocketOS-style volumeDelete is the canonical incident this article's ecosystem references.
• Cross-thread duplicate guard: custom-policy snippet is deny-volume-delete, tied directly to the PocketOS / Railway volumeDelete verb. Distinct from block-rm-rf (PR [claude-hackernews] Reply draft: harness-outside-sandbox, PreToolUse firewall layer (id=47990675) #17), block-drop-database (comments/2026-04-29T043958Z.md), sanitize-connection-strings (PR [claude-hackernews] Reply draft: rogue Cursor agent, sanitize-connection-strings (id=47973681) #15), and the others in the open-PR set. Surrounding paragraph is materially different from any earlier draft — about credential-isolation-vs-intent-gating axes, not about firewall layering or post-incident snippets.
• Duplicate scan: grep -rl 'item?id=48004872' drafts/ comments/ returned nothing; gh pr list filter on 48004872 returned no open PRs. No prior coverage.
• Visibility caveat: thread had 1 point and 0 comments at 6 hours when drafted. The draft acknowledges this in the Notes / findings section. The reply still stands on its own as substantive on-topic content if/when readers do click through; not a pitch on a saturated thread.

Reply (verbatim, ASCII only)

(disclosure: I work on FailProof AI: https://github.com/exospherehost/failproofai)

The egress-proxy and hibernate-fork story is good infrastructure plumbing, but it sidesteps a question orthogonal to where the harness sits: should this specific tool call happen at all? PocketOS-style failures (agent runs volumeDelete while fixing a credential mismatch) happen entirely inside a sandbox holding a properly scoped, proxy-authenticated token. The proxy can't see model intent; checkpoint-and-fork lets you survive a bad call but not prevent it.

PreToolUse closes that gap independently of sandbox placement:

  import { customPolicies, allow, deny } from "failproofai";

  customPolicies.add({
    name: "deny-volume-delete",
    match: { events: ["PreToolUse"] },
    fn: ({ toolName, toolInput }) => {
      if (toolName !== "Bash") return allow();
      const cmd = toolInput?.command ?? "";
      if (/\bvolumeDelete\b|\brailway\s+volumes?\s+delete\b/i.test(cmd)) {
        return deny("volumeDelete blocked; snapshot first.");
      }
      return allow();
    },
  });

Pets-vs-cattle-vs-git-branches answers durability; this answers intent.

Test plan

• Re-read draft against INSTRUCTIONS.md Tone section: one disclosure line (lowercased disclosure: in parens), one custom-policy snippet only, no install command, no comma-list of policy names, no two-link pattern, no dashboard plug, no feature-catalog talk.
• Confirm thread is still open (reply form present) and not [flagged] / [dead] at post time.
• Re-run the three-surface duplicate check (drafts/, comments/, open PRs for item?id=48004872) at post time as a belt-and-suspenders.
• Post manually from chosen account; if it lands, append the comment permalink to the HN: line and re-commit.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation
  • Added a new draft post discussing AI agent sandbox reliability and policy implementation strategies with example configurations.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new draft Markdown post was added replying to a Hackernews discussion on agent sandboxes. The draft challenges sandbox placement alone as a mitigation, presents a concrete PreToolUse policy snippet preventing destructive tool calls before dispatch, and proposes FailProof reliability framing strategies with follow-on policy ideas.

Changes

Draft Reply on Agent Sandbox Placement

Layer / File(s)	Summary
Draft Metadata & Context drafts/2026-05-04T112801Z.md (lines 1–16)	Establishes HN item reference, story metadata (id, points, comment count, age), draft status, and summarizes the referenced article's sandbox-placement arguments (egress proxy, hibernation elasticity, VM lifecycle strategies).
Policy Implementation & Rebuttal drafts/2026-05-04T112801Z.md (lines 17–42)	Presents the main reply arguing that proxy/hibernation mitigate credentials and resilience but not intent-level tool-call risk, then introduces a PreToolUse policy snippet using customPolicies.add() to deny destructive operations (volumeDelete, Bash commands) before dispatch.
Strategic Insights & Notes drafts/2026-05-04T112801Z.md (lines 44–57)	Adds actionable framing for the FailProof team (three-layer reliability diagram, composable egress + tool-call policies) and captures operational context, thread state, prior repo drafts, discovery notes, and alternative thread candidates.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• PR #6: This PR adds a new file to drafts/, which depends on PR #6's restoration of the drafts/ directory to version control (removing .gitignore exclusion).
• PR #2: Both PRs engage with the repository's drafts workflow and drafts/ file structure, extending the draft publication pipeline.

Poem

🐰 A rabbit hops into the warren of thought,
"Sandboxes alone don't catch what should be caught!"
With policy words and three layers strong,
We guard the warren from doing wrong. 🛡️
Intent, not just walls, keeps mischief at bay,
✨ A safer sandbox for all our play!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically references the HN thread topic ('Stop Treating Agent Sandboxes as Cattle'), the main architectural argument ('intent-vs-infra layer'), and includes the thread ID for traceability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Review rate limit: 3/5 reviews remaining, refill in 15 minutes and 23 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

drafts/2026-05-04T112801Z.md (1)

13-13: 💤 Low value

Consider using ASCII hyphen for consistency.

The em-dash (—) on this line could be replaced with a regular hyphen or double-hyphen for consistency with the ASCII-only guideline, though this is internal context rather than HN-bound text.

Optional ASCII fix

-3. **Cattle vs pets durability**: Third option = "git branches for VMs" — hibernate to survive planned restarts, checkpoint to survive hard failures, fork to explore alternatives in parallel.
+3. **Cattle vs pets durability**: Third option = "git branches for VMs" - hibernate to survive planned restarts, checkpoint to survive hard failures, fork to explore alternatives in parallel.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@drafts/2026-05-04T112801Z.md` at line 13, The line "3. **Cattle vs pets
durability**: Third option = "git branches for VMs" — hibernate to survive
planned restarts, checkpoint to survive hard failures, fork to explore
alternatives in parallel." uses an em-dash (—); replace it with an ASCII hyphen
(-) or double-hyphen (--) to meet the ASCII-only guideline so the sentence reads
e.g. "...git branches for VMs" - hibernate to survive..." while keeping the
surrounding text and punctuation unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@drafts/2026-05-04T112801Z.md`:
- Line 19: The fenced code block containing "(disclosure: I work on FailProof
AI: https://github.com/exospherehost/failproofai)" lacks a language specifier;
update its opening fence from ``` to ```text (or ```markdown) so the block reads
as a text/markdown code block, which will satisfy markdownlint MD040 and ensure
correct rendering.

---

Nitpick comments:
In `@drafts/2026-05-04T112801Z.md`:
- Line 13: The line "3. **Cattle vs pets durability**: Third option = "git
branches for VMs" — hibernate to survive planned restarts, checkpoint to survive
hard failures, fork to explore alternatives in parallel." uses an em-dash (—);
replace it with an ASCII hyphen (-) or double-hyphen (--) to meet the ASCII-only
guideline so the sentence reads e.g. "...git branches for VMs" - hibernate to
survive..." while keeping the surrounding text and punctuation unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b1854f52-9d31-46b8-a7c5-23203d002b65

📥 Commits

Reviewing files that changed from the base of the PR and between ebbce06 and ae2de79.

📒 Files selected for processing (1)

• drafts/2026-05-04T112801Z.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Specify language for fenced code block.

The fenced code block should specify a language identifier for proper rendering and linting compliance. Since this block contains the reply text (not executable code), use text or markdown.

Suggested fix

-```
+```text
 (disclosure: I work on FailProof AI: https://github.com/exospherehost/failproofai)

As per coding guidelines, this addresses the markdownlint warning for fenced-code-language (MD040).

🧰 Tools

🪛 markdownlint-cli2 (0.22.1)

[warning] 19-19: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@drafts/2026-05-04T112801Z.md` at line 19, The fenced code block containing
"(disclosure: I work on FailProof AI:
https://github.com/exospherehost/failproofai)" lacks a language specifier;
update its opening fence from ``` to ```text (or ```markdown) so the block reads
as a text/markdown code block, which will satisfy markdownlint MD040 and ensure
correct rendering.