Sandbox

layer:9-sandbox

Layerstack-layers/layers/layer-9-sandbox.yaml·Open in Graph →

overview article json graph

Attributes

displayName

Sandbox

position

path

surfacing

scope

Policy-enforcement perimeter around execution and side effects.

summary

The sandbox layer constrains `Execution`: filesystem allow/deny lists, network allow/deny lists, binary allow/deny lists, environment and secret scope, audit-log policy, and policy evaluation point (pre-call, continuous, or post-call attestation). Coarse posture is captured by filesystemPolicy and networkPolicy enums. Realized by `Sandbox` nodes.

responsibilities

Enforce filesystem, network, binary, secret, and environment policy.
Record audit evidence and policy decisions around side effects.
Define approval, escalation, and attestation boundaries for execution.

examples

Read-only filesystem, workspace-write mode, network-disabled mode.
Binary allow list, secret scope, approval-required command policy.
Container, VM, OS sandbox, or hosted policy engine.

fitNotes

Custom-agent frameworks may leave sandboxing entirely to the embedding host. Production tools should model this layer explicitly even when users only see a simple approval prompt.

Wiki pages

Outgoing edges (0)

None.

Incoming edges (9)

documents3

page:agent-generate-universal-agentic-stack·PageUniversal Agentic Stack
page:agent-generate-universal-agentic-stack-layers·PageUniversal Agentic Stack Layers
page:agent-generate-universal-agentic-stack-source-map·PageUniversal Agentic Stack Source Map

realizes6

sandbox:codex-read-only·SandboxCodex read-only sandbox
sandbox:codex-workspace-write·SandboxCodex workspace-write sandbox
sandbox:codex-danger-full-access·SandboxCodex danger-full-access sandbox
sandbox:default-container·SandboxDefault container sandbox
sandbox:read-only-air-gapped·SandboxRead-only air-gapped sandbox
sandbox:permissive-developer·SandboxPermissive developer sandbox