Since there are so many to choose from, I built my own sandbox for local coding agents. I use it within my homebrew agent orchestrator running Ralph loops.

The sandbox is this, and builds on the mental models I sketched here.

What stands out compared to competitors:

• Focus is user experience: it’s an abstraction on top of a container, but it’s simpler to setup with a high level config file that I sarcastically baptized Agentfile.
• The networking boundary talks back to the agent, to avoid hallucinatory loops where the agent tries really hard to reach a remote destination that is blocked.

We are moving towards a place where ticketing systems will become an important component to protect, akin to CI/CD.

Tickets are a new source of untrusted input we need to account for when threat modeling against prompt injections.

Ghostty only allows maintainers to create issues, seems to me they figured out a cheap and pragmatic security policy by accident.