Fetching from the wire…
Top 5 · 2026-03-28 · source-backed
Running untrusted agent code safely has been a persistent headache. Docker adds startup latency and configuration overhead. VMs are heavier. Most developers, myself included, end up running agents with their real credentials on their real filesystem because the friction of sandboxing is too high.
Stanford's Secure Computer Systems group released JAI and it hits the exact sweet spot. One command. No Dockerfiles, no images, no container registries. The agent gets full read/write access to your working directory while the rest of the filesystem is isolated via copy-on-write. Any writes the agent makes outside the working directory happen in a temporary overlay that disappears when the session ends.
349 points and 192 comments on Hacker News, with practitioners calling it the missing piece for daily agent use. That HN engagement tells me this is solving a problem people actually have, not a research demo looking for a use case.
The copy-on-write approach is smart because it preserves the agent's ability to work normally. Your agent can read system libraries, access package managers, run compilers. It just can't modify anything outside the working directory permanently. From the agent's perspective, it has a normal Linux environment. From your perspective, your system is protected.
This matters more today than it did a month ago. The DryRun Security study (Story #1) shows agents write vulnerable code 87% of the time. The CISA findings (Story #5) show the agent toolchain itself is under active attack. If your agent installs a compromised dependency or writes code that exfiltrates data, JAI's isolation means the blast radius is limited to the working directory, not your entire machine.
For builders using Claude Code, Codex CLI, or any terminal-based coding agent: try JAI as your default execution environment. The overhead is minimal (it's a Linux namespace, not a VM), and the protection against both malicious dependencies and agent mistakes is real. The 192-comment HN thread has practical setup guides.
I don't know how well this works on macOS yet. Stanford's implementation targets Linux namespaces specifically. If you're on a Mac, you'd need a Linux VM as an intermediate layer, which somewhat defeats the "no Docker" premise. But for anyone developing on Linux or running agents on cloud instances, this is the right tool.
Each link below shares sources, entities, or timing with this story.
Docker supports Claude Code / Shared entities / Shared topic / What happened next
Linked by a graph relationship (Docker supports Claude Code); both cover Claude Code, Codex CLI, Hacker News, Most; overlapping topics (agent, running).
Linked by a graph relationship (Docker supports Claude Code); both cover Claude Code, Docker, Hacker News; overlapping topics (agent, code, comment, docker).
Docker supports Claude Code / Shared entities / Shared topic / Earlier coverage
Linked by a graph relationship (Docker supports Claude Code); both cover Claude Code, Docker; overlapping topics (access, agent, code, docker, environment).