Eran Sandler

Grab the new version of Secure Sandbox (agentsh.org/secure-sandbox) for JavaScript/TypeScript. The new version adds full @modal sandboxes support (using pTrace) as well as continuing support for @e2b, @daytonaio, @blaxelAI, @vercel sandboxes, @Cloudflare sandboxes (CC @CloudflareDev ) One line of code to make your sandbox WAY more secure with full programmable access to control the policy straight from the code.

Rule files are not enforcement. They’re context. And context is not a security boundary. If you care whether an agent can read secrets, hit the network, or spawn a shell, the control has to live at the execution layer. canyonroad.ai/blog/rule-file…

@JoshConstine @pitdesi Consider the east bay (I can give you some recommendations :) )

Love SF. Never want to leave. But my wife and I both work in VC and still don’t see how we could afford a third kid. Biggest culprits: -Schools and summer camps that end mid-day, requiring both tuition and a nanny -Even the top SF public schools were dilapidated, understaffed, with very limited STEM or anti-bullying programs, pushing parents to private school or leaving the city -Housing of course is expensive, but so much so that an extra room for an au pair is unaffordable, and caretakers either live too far away for flexible use or charge crazy $50+/hr prices if they’re nearby

Mind-boggling: We made it so expensive to live in SF that we have to subsidize childcare for people making 95th percentile US income. Due to poor program design, families making 96th %ile income get NO support and choose 0/1 kids because they can't afford more. And I get it!

@fendien Bundling is powerful!

This is wild 🤯 PagerDuty net of cash is trading at a 0.2X ARR multiple. I don't even know how they exit at this point. It seems like a falling knife. Would a strategic buy them not for the revenue, but for the MSAs in their customer base for perhaps a quicker sell-through motion if they sell in an adjacent category?

@srcasm @flybridge Check out agentsh.org (and your DM)

We’re about six months into deploying @flybridge 2025 (our 7th fund). The "AI" honeymoon period is officially over. In 2024, everyone wanted to talk about models. In 2025, everyone wanted to talk about agents. Nowadays, I’m looking for the Invisible Infrastructure. If you’re building the plumbing that makes autonomous systems actually safe, auditable, and reliable for a Fortune 500, we should be talking. Specifically, I’m looking for: > Tools that verify human intent in a world full of high-fidelity deepfakes. > AI that doesn't "forget" who I am or what we talked about yesterday across different apps. > Founders who spent ten years in a "niche" industry (like maritime logistics or waste management) and are now rebuilding it from the studs up. I know the best founders are often too busy building to be scrolling LinkedIn. If you have a friend who is currently building something that fits this description, tell them to hit me up. I don't need a deck yet. I just want to hear about the problem they can't stop thinking about. We’re cutting $1M to $3M checks. My DMs are always open.

A supply chain attack hits MCP-related tooling, and the lesson is bigger than one campaign. When malicious code lands inside your agent’s toolchain, the real question is not how it got there. It’s what it can do now. Thanks to Koi for the research. canyonroad.ai/blog/the-worm-…

@e2b Now also with @flydotio Sprites!

CC @e2b (messed up your X user, sorry :) )

Agents don’t just generate text anymore. They execute. Today we’re launching AgentSH secure-sandbox for TypeScript - add execution policies under hosted AI sandboxes with essentially one line of code. Works with sandboxes from @vercel, @daytonaio, @e2b_dev, @BlaxelAI, and @Cloudflare. Blog: canyonroad.ai/blog/one-line-…

@_orcaman @vokaysh You know what helps in this yolo mode ;)

@vokaysh YOLO

Codex hacking my comptuer to test the app 🤔

Bugs have always existed. What's new is that agents don't wait for you. A trust boundary failure used to mean a bad click. Now it means files written, keys exfiltrated, and network calls made before you've seen a log line. Wrote about what enforcement at the execution layer actually looks like: canyonroad.ai/blog/bugs-happ…

@ivanburazin Ivan, let's talk :) But also, let all sandboxing use agentsh.org :)

Right now, nobody cares about sandbox security. You can basically let agents do whatever they want. Full freedom with no guardrails. But enterprises will soon demand Uncle Sam level surveillance on every agent action: - every process logged - every port monitored - every data transfer audited - permission layers on everything - real time alerts on anomalies Think Goldman Sachs level employee monitoring - keystroke logging, screen recording, email scanning, etc. But 100x more invasive because they're not human. Companies limit employee monitoring because of human rights concerns/labor laws/privacy regulations. For agents, there's no such concern. They're not human. So no questions of rights or protections. The security requirements for agent sandboxes will exceed anything we've seen for human developers. And when the first major agent security breach happens, everyone will panic and lock down everything overnight.

Love @a16z's kill-chain framing: ignore category soup -ask where you break attacker's sequence. In agentic systems, “boom” is the first unauthorized side effect. Beacon + AgentSH break that chain at execution time. canyonroad.ai/blog/breaking-…

Hey friends, every ⭐ you give to AgentsH repo (agentsh.org) (github.com/canyonroad/age…) an agent gets its wings :)

Really liked @Work_Bench's framing of the "agent runtime" (execute, constrain, observe, improve). But I keep coming back to one question: If "Constrain" = identity + permissions, who governs what the agent actually does once it’s running arbitrary code? Subprocess trees. .env reads. printenv. Outbound connects. IAM is policy at the service boundary. What’s policy at the syscall boundary? My take: eran.sandler.co.il/post/2026-03-0…

@simonw @nikete You should turn this full guide into a book cc @timoreilly

New chapter of my Agentic Engineering Patterns guide. This one is about having coding agents build custom interactive and animated explanations to help fight back against cognitive debt simonwillison.net/guides/agentic…

@omarsar0 Models are probabilistic. AGENTS dot md is not a way to enforce things. You must use execution layer security to keep models at check from mistakes or malicious intents. That's why agentsh.org exists.

AGENTS dot md files don't scale beyond modest codebases. Lots of discussions on this lately. If you're building serious software with Claude Code or any agentic tool, a single AGENTS dot md will eventually fail you. This paper shows what comes next. A 1,000-line prototype can be fully described in a single prompt. A 100,000-line system cannot. The AI must be told, repeatedly and reliably, how the project works, what patterns to follow, and what mistakes to avoid. Single-file manifests hit a ceiling fast. This new paper, Codified Context, documents a three-tier infrastructure built during real development of a 108,000-line C# distributed system across 283 sessions over 70 days. The system uses a three-tier memory architecture: a hot-memory constitution (660 lines, always loaded), 19 specialized domain-expert agents (9,300 lines total) invoked per task, and a cold-memory knowledge base of 34 specification documents (~16,250 lines) queried on demand via an MCP retrieval server. Across 283 sessions, this produced 2,801 human prompts, 1,197 agent invocations, and 16,522 autonomous agent turns, roughly 6 autonomous turns per human prompt, with a knowledge-to-code ratio of 24.2%. Crucially, none of it was designed upfront: each new agent and specification emerged from a real failure, a recurring bug, an architectural mistake, a convention forgotten, and was codified so it could never require re-explanation again, turning documentation into load-bearing infrastructure that agents depend on as memory, not reference. Paper: arxiv.org/abs/2602.20478 Learn to build effective AI agents in our academy: academy.dair.ai

AGENTS dot md is important, but stuffing it with rules backfires: you overload the context window, probabilistic models miss/dilute key instructions (“needle in a haystack”), and markdown can’t enforce behavior. You need execution-layer enforcement. agentsh.org

Updated Self Host LLM (selfhostllm.org) with updated cards, updated models and machines. We now have a bit more info on Apple M5 so information was also updated. Figure out how to run local inference on your hardware or use it to decide which hardware to get.