"What are code sandboxes?" — Technically
Why this is in the vault
Sandboxes are the missing infrastructure layer between RDCO's Claude Code sub-agent architecture and safe autonomous code execution — understanding the space matters as we build toward L5 agent capability.
The core argument
Justin Gage's framing: a sandbox is isolated computing environment for untrusted code — "solitary confinement, but for a program." The prison analogy runs throughout: your production infrastructure is the general population; any code you haven't examined line-by-line is an unknown inmate who might start a riot.
Three classes of "untrusted code" driving current demand:
- Internal coding agents — LLM-generated code (e.g. Claude Code sub-agent output) that needs a safe run environment before merging into a real codebase
- RL training — agents generating and executing code during training; by design they try destructive actions ("that's how RL works")
- User-submitted code — the original use case (Retool, etc.), now dwarfed by the agent demand
The piece notes sandboxes have existed for years (Gage's former employer Retool used them for user-code isolation) but LLMs triggered a "second wind for the ages" — now dozens of startups compete in the space.
Specific tools named: Retool (legacy reference). The article is paywalled past the intro; specific modern vendor names (E2B, Modal, Daytona, Firecracker, etc.) likely appear in the paid section. The free excerpt doesn't enumerate them.
The key risk illustrated: coding agents in the wild have "accidentally" deleted entire databases. Sandbox = blast-radius containment so a rogue agent action can't propagate beyond the isolated environment.
Mapping against Ray Data Co
Reinforces existing discipline — strong signal:
- The vault already tracks the thin-harness/fat-skills pattern ([[2026-04-14-alphasignal-cursor-parallel-agents-vercel-open-agents]]) and the Vercel Open Agents sandbox architecture. Gage's explainer is the clean conceptual foundation underneath that pattern. The brain/sandbox split described here is structurally identical to how RDCO uses Claude Code sub-agents with worktree isolation.
- [[2026-05-23-harrison-chase-langsmith-auth-proxy]] documents LangSmith's Sandbox Auth Proxy — a concrete product in the space Gage is describing. That note already flags the "isolated network access for agent sandboxes" layer as convergent with RDCO's direction.
- [[2026-04-19-indydevdan-claude-code-deletes-production]] is the exact real-world risk Gage cites ("deletes someone's entire database") — RDCO has already internalized that failure mode and the Claude Code hooks pattern as mitigation.
Gap this surfaces:
RDCO currently relies on Claude Code's built-in protections + worktree isolation for sub-agent work. We don't have a formal sandbox for executing code that sub-agents produce — e.g. if a sub-agent writes a Python migration script and runs it, that runs on the host. The RL training use case Gage describes is aspirational for RDCO (not current), but the internal coding-agent case is live today.
Specific question this raises: When we dispatch implementation sub-agents (per [[02-sops/2026-05-18-implementation-notes-pattern-for-sub-agent-dispatches]]), should the execution step happen inside an ephemeral sandbox rather than directly on the host machine? The Google Managed Agents note ([[2026-05-22-alphasignal-google-managed-agents-ai-studio-mobile-kaist-sam3]]) references "isolated, ephemeral Linux sandbox with bash terminal" as the default execution model — we should evaluate whether that pattern applies to our own sub-agent dispatches.
Does this change project direction? Not immediately — but it confirms that sandbox infrastructure is becoming table-stakes for serious agent deployments. Worth tracking the vendor landscape (E2B, Modal, etc.) as RDCO's autonomous coding work scales past the current single-founder scope.
Related
- [[2026-05-14-technically-package-managers-ai-labs-acquisitions]] — prior Technically/Justin Gage piece in the vault; consistent author quality
- [[2026-04-14-alphasignal-cursor-parallel-agents-vercel-open-agents]] — thin harness + fat code (sandbox) architecture; structural twin of the pattern Gage describes
- [[2026-05-23-harrison-chase-langsmith-auth-proxy]] — concrete sandbox product (LangSmith); network-access isolation layer for agent sandboxes
- [[2026-04-19-indydevdan-claude-code-deletes-production]] — real-world risk case that sandboxes exist to contain
- [[2026-05-22-alphasignal-google-managed-agents-ai-studio-mobile-kaist-sam3]] — ephemeral Linux sandbox as default agent execution environment (Google pattern)