Skip to content

Commit bef3796

Browse files
authored
docs: revise readme for clarity and terminology updates
1 parent c95a7c6 commit bef3796

1 file changed

Lines changed: 23 additions & 16 deletions

File tree

README.md

Lines changed: 23 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,12 @@
11
# Agent Container
22

3-
### Give your agents tiny boxes, powered by [workerd](https://github.com/cloudflare/workerd)
3+
### Give your clankers tiny boxes, powered by [workerd](https://github.com/cloudflare/workerd)
44

55
> ⚠️ This project is under active development. APIs may change.
66
7-
Agent Container is a small runtime layer for running agent-generated code against a workspace through capability bindings.
7+
Agent Container is a runtime layer for coding agent harnesses. It lets agent-generated code operate on a workspace through explicit bindings`WORKSPACE`, `EXEC`, `ENV` — rather than raw host APIs like `fs`, `child_process`, or `process.env`.
88

9-
The core idea is that a workspace should not have to be the process working directory, the filesystem authority boundary, the command execution boundary, and the environment boundary all at once. Instead, the host owns the real authority and projects only the intended pieces into `workerd` as live bindings:
9+
The core idea: a workspace directory shouldn't simultaneously be the execution boundary, the filesystem authority boundary, and the environment boundary. Those are different concerns and should be controlled separately. The host owns real authority and projects only what's needed into `workerd` as live bindings:
1010

1111
```ts
1212
const pkg = await WORKSPACE.readText("package.json");
@@ -22,7 +22,7 @@ const { stdout } = await execFile("node", ["--version"]);
2222
const apiUrl = process.env.API_URL;
2323
```
2424

25-
That distinction is the point of this project. Agent Container gives coding agent harnesses a capability-bound execution model: guest code runs in `workerd`, while the Node.js host brokers filesystem access, subprocess execution, environment values, network policy, and observability through explicit bindings.
25+
Agent Container gives coding agent harnesses a capability-bound execution model: guest code runs in `workerd`, while the Node.js host brokers filesystem access, subprocess execution, environment values, network policy, and observability through explicit, auditable bindings.
2626

2727
---
2828

@@ -88,29 +88,30 @@ Code inside the `workerd` session does not get Node's `fs`, `process`, or `child
8888

8989
## Why
9090

91-
Most coding agent harnesses gets tools like read, write, edit, grep, bash, and git. Those tools often run on the host system with the project directory acting as a soft boundary. That works, but it makes the working directory do too many jobs:
91+
Most coding agent harnesses provide tools like read, write, edit, grep, bash, and git — typically running on the host with the project directory as a soft boundary. That works until it doesn't:
9292

93-
- workspace root
94-
- execution boundary
95-
- filesystem authority boundary
96-
- environment boundary
97-
- audit boundary
93+
- A read tool resolves paths on the host filesystem — an agent passes `../../.ssh/id_rsa` and it just works
94+
- A bash tool inherits the full parent process environment, so every secret in process.env is silently available to anything the agent runs
95+
- A grep over "the project" follows a symlink outside the workspace root without anyone noticing
96+
- A subprocess writes to a path outside the workspace because cwd resolution was never constrained
9897

99-
Those are different concerns.
98+
There's no audit of what the agent actually read, wrote, or executed; just a process and a directory, and an assumption they stayed inside the lines
10099

101-
Agent Container separates them. The workspace root becomes a scoped `WORKSPACE` object. Command execution becomes an `EXEC` binding with allowlists, timeouts, controlled cwd resolution, and logged outcomes. Environment access becomes `ENV` and `SECRETS`, populated only from selected sources. Network access is configured at the `workerd` session level instead of being assumed.
100+
None of this requires malicious intent. Your clanker can sometimes be daft, hallucinate a path, or following bad instructions that can cause real damage through tools that were never designed to say no.
101+
102+
Agent Container replaces that assumption with explicit capability bindings. `WORKSPACE` scopes filesystem access to the project root and enforces path containment. `EXEC` runs only allowlisted commands with controlled cwd resolution and logged outcomes. `ENV` and `SECRETS` expose only what you explicitly include; nothing leaks in from `process.env` by default. Network access is configured at the session level rather than inherited. Every operation crosses a bridge the host controls, which means there's an actual record of what the agent did.
102103

103104
This follows the Cloudflare Workers resource model, where bindings carry both permission and API as runtime objects. In an agent harness, the same model maps cleanly to the resources an agent needs for coding work.
104105

105106
## Threat Model
106107

107-
Agent Container should not be described as a secure sandbox for fully untrusted code.
108+
Agent Container is **not a secure sandbox for fully untrusted code**.
108109

109-
It reduces ambient authority by moving access behind bindings, but the host still brokers real filesystem and subprocess operations. `EXEC.run` still starts real host subprocesses. `WORKSPACE` still maps to real files or a copied workspace. The bridge is session-local and token-gated, but it is not a replacement for VM, container, kernel, or production-grade isolation when running adversarial code.
110+
It reduces ambient authority by moving access behind explicit bindings, but the host still brokers real filesystem and subprocess operations. `EXEC.run` starts real host subprocesses. `WORKSPACE` maps to real files or a copied workspace. The bridge is session-local and token-gated, but it is not a substitute for VM-level, container-level, or kernel-level isolation when running adversarial code.
110111

111-
`workerd` network policy applies to the guest runtime, not to subprocesses started through `EXEC.run`. A permitted command runs as a host subprocess with the configured cwd, environment projection, timeout, and command policy.
112+
Note that `workerd` network policy applies to the guest runtime only — not to subprocesses started through `EXEC.run`. A permitted command runs as a host subprocess with the configured cwd, environment projection, timeout, and command policy applied.
112113

113-
The goal is narrower and more useful for coding agents: do not give generated code broad host authority by default. Give it explicit capabilities that a harness can inspect, constrain, and log.
114+
The goal is narrower and more practical for coding agents: don't give generated code broad host authority by default. Give it explicit, inspectable, constrained capabilities instead.
114115

115116
## How It Works
116117

@@ -164,6 +165,7 @@ Implemented today:
164165
Not implemented yet (WIP):
165166

166167
- a first-class `NET` binding
168+
- a first-class `GIT` binding
167169
- narrow workspace change primitives such as `diff`, `statusSummary`, `snapshot`, and `applyPatch`
168170

169171
## Bindings
@@ -467,6 +469,11 @@ agent-container describe
467469

468470
`describe` prints the container description for the current directory.
469471

472+
473+
## Acknowledgements
474+
475+
Thanks to [rivet-dev/secure-exec](https://github.com/rivet-dev/secure-exec) — Agent Container was partly inspired by their implementation and the thinking behind it.
476+
470477
## License
471478

472479
[Apache-2.0](LICENSE)

0 commit comments

Comments
 (0)