You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+23-16Lines changed: 23 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,12 +1,12 @@
1
1
# Agent Container
2
2
3
-
### Give your agents tiny boxes, powered by [workerd](https://github.com/cloudflare/workerd)
3
+
### Give your clankers tiny boxes, powered by [workerd](https://github.com/cloudflare/workerd)
4
4
5
5
> ⚠️ This project is under active development. APIs may change.
6
6
7
-
Agent Container is a small runtime layer for running agent-generated code against a workspace through capability bindings.
7
+
Agent Container is a runtime layer for coding agent harnesses. It lets agent-generated code operate on a workspace through explicit bindings — `WORKSPACE`, `EXEC`, `ENV` — rather than raw host APIs like `fs`, `child_process`, or `process.env`.
8
8
9
-
The core idea is that a workspace should not have to be the process working directory, the filesystem authority boundary, the command execution boundary, and the environment boundary all at once. Instead, the host owns the real authority and projects only the intended pieces into `workerd` as live bindings:
9
+
The core idea: a workspace directory shouldn't simultaneously be the execution boundary, the filesystem authority boundary, and the environment boundary. Those are different concerns and should be controlled separately. The host owns real authority and projects only what's needed into `workerd` as live bindings:
That distinction is the point of this project. Agent Container gives coding agent harnesses a capability-bound execution model: guest code runs in `workerd`, while the Node.js host brokers filesystem access, subprocess execution, environment values, network policy, and observability through explicit bindings.
25
+
Agent Container gives coding agent harnesses a capability-bound execution model: guest code runs in `workerd`, while the Node.js host brokers filesystem access, subprocess execution, environment values, network policy, and observability through explicit, auditable bindings.
26
26
27
27
---
28
28
@@ -88,29 +88,30 @@ Code inside the `workerd` session does not get Node's `fs`, `process`, or `child
88
88
89
89
## Why
90
90
91
-
Most coding agent harnesses gets tools like read, write, edit, grep, bash, and git. Those tools often run on the host system with the project directory acting as a soft boundary. That works, but it makes the working directory do too many jobs:
91
+
Most coding agent harnesses provide tools like read, write, edit, grep, bash, and git — typically running on the host with the project directory as a soft boundary. That works until it doesn't:
92
92
93
-
- workspace root
94
-
- execution boundary
95
-
- filesystem authority boundary
96
-
- environment boundary
97
-
- audit boundary
93
+
- A read tool resolves paths on the host filesystem — an agent passes `../../.ssh/id_rsa` and it just works
94
+
- A bash tool inherits the full parent process environment, so every secret in process.env is silently available to anything the agent runs
95
+
- A grep over "the project" follows a symlink outside the workspace root without anyone noticing
96
+
- A subprocess writes to a path outside the workspace because cwd resolution was never constrained
98
97
99
-
Those are different concerns.
98
+
There's no audit of what the agent actually read, wrote, or executed; just a process and a directory, and an assumption they stayed inside the lines
100
99
101
-
Agent Container separates them. The workspace root becomes a scoped `WORKSPACE` object. Command execution becomes an `EXEC` binding with allowlists, timeouts, controlled cwd resolution, and logged outcomes. Environment access becomes `ENV` and `SECRETS`, populated only from selected sources. Network access is configured at the `workerd` session level instead of being assumed.
100
+
None of this requires malicious intent. Your clanker can sometimes be daft, hallucinate a path, or following bad instructions that can cause real damage through tools that were never designed to say no.
101
+
102
+
Agent Container replaces that assumption with explicit capability bindings. `WORKSPACE` scopes filesystem access to the project root and enforces path containment. `EXEC` runs only allowlisted commands with controlled cwd resolution and logged outcomes. `ENV` and `SECRETS` expose only what you explicitly include; nothing leaks in from `process.env` by default. Network access is configured at the session level rather than inherited. Every operation crosses a bridge the host controls, which means there's an actual record of what the agent did.
102
103
103
104
This follows the Cloudflare Workers resource model, where bindings carry both permission and API as runtime objects. In an agent harness, the same model maps cleanly to the resources an agent needs for coding work.
104
105
105
106
## Threat Model
106
107
107
-
Agent Container should not be described as a secure sandbox for fully untrusted code.
108
+
Agent Container is **not a secure sandbox for fully untrusted code**.
108
109
109
-
It reduces ambient authority by moving access behind bindings, but the host still brokers real filesystem and subprocess operations. `EXEC.run`still starts real host subprocesses. `WORKSPACE`still maps to real files or a copied workspace. The bridge is session-local and token-gated, but it is not a replacement for VM, container, kernel, or production-grade isolation when running adversarial code.
110
+
It reduces ambient authority by moving access behind explicit bindings, but the host still brokers real filesystem and subprocess operations. `EXEC.run` starts real host subprocesses. `WORKSPACE` maps to real files or a copied workspace. The bridge is session-local and token-gated, but it is not a substitute for VM-level, container-level, or kernel-level isolation when running adversarial code.
110
111
111
-
`workerd` network policy applies to the guest runtime, not to subprocesses started through `EXEC.run`. A permitted command runs as a host subprocess with the configured cwd, environment projection, timeout, and command policy.
112
+
Note that `workerd` network policy applies to the guest runtime only — not to subprocesses started through `EXEC.run`. A permitted command runs as a host subprocess with the configured cwd, environment projection, timeout, and command policy applied.
112
113
113
-
The goal is narrower and more useful for coding agents: do not give generated code broad host authority by default. Give it explicit capabilities that a harness can inspect, constrain, and log.
114
+
The goal is narrower and more practical for coding agents: don't give generated code broad host authority by default. Give it explicit, inspectable, constrained capabilities instead.
114
115
115
116
## How It Works
116
117
@@ -164,6 +165,7 @@ Implemented today:
164
165
Not implemented yet (WIP):
165
166
166
167
- a first-class `NET` binding
168
+
- a first-class `GIT` binding
167
169
- narrow workspace change primitives such as `diff`, `statusSummary`, `snapshot`, and `applyPatch`
168
170
169
171
## Bindings
@@ -467,6 +469,11 @@ agent-container describe
467
469
468
470
`describe` prints the container description for the current directory.
469
471
472
+
473
+
## Acknowledgements
474
+
475
+
Thanks to [rivet-dev/secure-exec](https://github.com/rivet-dev/secure-exec) — Agent Container was partly inspired by their implementation and the thinking behind it.
0 commit comments