Sandboxing coding agents is a critical first step, but it’s an incomplete solution. The real blocker to developer velocity isn't containment, it's the collapse of identity.
The attribution gap is the part most sandboxing approaches gloss over. Something that's helped me on the containment side is just-bash from Vercel. It reimplements bash in TypeScript with no real shell or binaries. The interesting bit for your argument is the AST plugin system; you can audit exactly which commands ran and what each produced. Not full identity separation but it's a step towards the observability you're describing. Wrote about it here: https://reading.sh/vercels-cto-built-a-fake-bash-and-it-s-pure-genius-a79ae1500f34?sk=9207a885db38088fa9147ce9c4082e9d
The attribution gap is the part most sandboxing approaches gloss over. Something that's helped me on the containment side is just-bash from Vercel. It reimplements bash in TypeScript with no real shell or binaries. The interesting bit for your argument is the AST plugin system; you can audit exactly which commands ran and what each produced. Not full identity separation but it's a step towards the observability you're describing. Wrote about it here: https://reading.sh/vercels-cto-built-a-fake-bash-and-it-s-pure-genius-a79ae1500f34?sk=9207a885db38088fa9147ce9c4082e9d
This sounds like a business opportunity. Build something that works, send it to Anthropic and OpenAI, and you will have a standard in a few months.
Agreed. We will see this problem writ large in the coming months.