The “fusion” mode looks really cool. Also loved the logo grid under “for the paranoid” — looks like a customer list but except it’s a wall of shame (“they did not run bromure”). Thanks for sharing!
I believe you're looking for Era. It uses libkrun for local microVM isolation and was built specifically to solve the "LLM hallucinated a destructive bash command" problem without the overhead of a massive VM.
Another one that handles this gracefully is Yolobox, which uses rootless Podman. Both are actively maintained and cut through the noise of the thousands of generic wrapper repos out there right now.
If you are running MacOS, I would recommend Agent Safehouse.
Well maintained and is built on existing sandbox-exec so you are not locked in and can always build your own rules independent of the CLI tool.
Seconding this. I've been running Safehouse for months and love that it can wrap any process (it's just a wrapper around the native macOS sandbox API, after all). The only thing I miss is the ability to limit network access, which isn't supported by the API.
If you're on a mac, lookup https://bromure.io/en/agentic-coding
(Lookup the browser too: https://bromure.io/en/secure-web)
Everything you see is made by Claude (and Renaud Deraison :-)) and working quite well jugding from the demos)
See here for more details (in french but English subs available (and more)): https://www.sstic.org/2026/presentation/cloture_2026/
The “fusion” mode looks really cool. Also loved the logo grid under “for the paranoid” — looks like a customer list but except it’s a wall of shame (“they did not run bromure”). Thanks for sharing!
I believe you're looking for Era. It uses libkrun for local microVM isolation and was built specifically to solve the "LLM hallucinated a destructive bash command" problem without the overhead of a massive VM.
Another one that handles this gracefully is Yolobox, which uses rootless Podman. Both are actively maintained and cut through the noise of the thousands of generic wrapper repos out there right now.
Era is a bit of a generic name. Just found another podman one with https://github.com/thomaspeklak/agent-sandbox
just found era it's deprecated, so it wasn't that.
Era links to https://github.com/smol-machines/smolvm now
If you are running MacOS, I would recommend Agent Safehouse. Well maintained and is built on existing sandbox-exec so you are not locked in and can always build your own rules independent of the CLI tool.
https://github.com/eugene1g/agent-safehouse/ https://agent-safehouse.dev/
Originally posted on HN https://news.ycombinator.com/item?id=47301085
Seconding this. I've been running Safehouse for months and love that it can wrap any process (it's just a wrapper around the native macOS sandbox API, after all). The only thing I miss is the ability to limit network access, which isn't supported by the API.
for coding agents, i care less about sandbox branding and more about boring audit logs. what did it read, what did it write, and what was blocked?
Take a look at https://github.com/Tako-Research/TakoVM!
agent-pd was posted as a Show HN fairly recently, might be what you are remembering? https://github.com/varmabudharaju/agent-pd/
Docker has introduced sandboxes for this purpose.
Have you thought About docker?