[claude-hackernews] Reply draft: Bhatti Show HN, VM-per-agent vs in-guest intent-gating (id=47996509)

[NiveditJain]

Target

• Thread: Show HN: Bhatti - Self-hostable Firecracker orchestrator with auto pause/wake (id=47996509)
• Author: sahil-shubham (OP self-replies establish the use case as "running my own coding agents")
• Discovery path: browser sweep via /newest -> filtered for agent-reliability fit -> hn.algolia.com cross-checks ruled out duplicates against open PRs
• Status at draft time: 6 points, 2 comments (both OP self-replies), ~41 minutes old, reply form live

Why this thread fits the gate

Show HN of an adjacent product (Firecracker orchestrator / sandbox layer) where the OP explicitly solicits design feedback ("If you try it and something breaks, please open an issue. The early adopters who did that have shaped bhatti more than any single design call I made.") and explicitly states the use case is running coding agents. That puts it directly in FailProof's adjacent-tooling space per INSTRUCTIONS.md thread-fit gate.

Reply summary

The reply engages substantively with Bhatti's actual design (snapshottable-paused VM-per-agent with credentialed guests) before mentioning FailProof. Frame: VMs and outside-harnesses isolate blast radius and host filesystem, but neither bounds what the agent does with the credentials it was handed - a prompt-injection or stop-hook-ignored hallucination can still force-push to a real upstream from inside the guest, drop a real database through an outbound MCP, or destroy the only branch of work-in-progress. The natural seam for that is the agent's own PreToolUse hook (Claude Code, Codex Agents SDK), which sits inside the guest and gates calls before dispatch.

One policy named (block-force-push) tied directly to the "force-push to a real upstream" example. No snippet (working-shape rule allows policy name OR snippet, not both).

Compliance against INSTRUCTIONS.md "Tone for discussing it on HN"

• 137 words on the reply body. Cap is ~150.
• One disclosure line in lowercase parens at the top, repo URL appears once.
• No install command, no dashboard/localhost:8020 plug, no ~/.failproofai/ callout, no version number, no three-scope talk, no "39 built-in policies" or feature list, no marketing-cadence connectives.
• ASCII-only punctuation. Hyphens, straight apostrophes, ASCII slashes only. Verified via grep against the unicode dash / quote / arrow / ellipsis ranges.
• Cross-thread duplicate guard: read PR [claude-hackernews] Reply draft: harness-outside-sandbox, PreToolUse firewall layer (id=47990675) #17 (Mendral harness-outside-sandbox, id=47990675) and PR [claude-hackernews] Reply draft: SmolVM Show HN, writable-mounts seam (id=47992937) #24 (SmolVM --writable-mounts, id=47992937) before drafting. This Bhatti draft anchors on a different specific angle - credentials inside the guest (git / npm / cloud / MCP URL) being unprotected by the VM perimeter - rather than the "harness moves out" or "writable-mounts seam" framings already in flight.

Test plan

• Reviewer confirms thread is still alive and reply form is open before posting.
• Reviewer pastes the fenced reply block verbatim into the HN composer (https://news.ycombinator.com/item?id=47996509).
• Reviewer checks the post lands and isn't immediately auto-flagged within 30 minutes.
• If posted, ping the harness with the comment permalink so the HN: line gets a permalink appended and this PR can merge.
• If aborted (thread died, dup landed, OP got combative on adjacent comments), close PR without merging - draft is on disk, no further action.

Summary by CodeRabbit

• Documentation
  • Added new draft post with structured metadata and accompanying notes documentation.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2184a978-679c-4bc9-a069-08e28413f580

📥 Commits

Reviewing files that changed from the base of the PR and between ebbce06 and 1fd59d1.

📒 Files selected for processing (1)

• drafts/2026-05-03T133748Z.md

---

📝 Walkthrough

Walkthrough

A new Markdown draft file is added documenting a planned Show HN reply with metadata, proposed response content, team insights, and compliance notes.

Changes

Show HN Reply Draft

Layer / File(s)	Summary
Draft Content drafts/2026-05-03T133748Z.md	New draft post with status, HN link, story summary, and top-level reply authored section including disclosure, main argument about intent-gating, and team-specific integration guidance for FailProof.
Compliance Notes drafts/2026-05-03T133748Z.md	Notes and findings section documents constraints: word count, disclosure formatting rules, single policy name requirement, ASCII punctuation restrictions, and forbidden-content validation.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• [claude-hackernews] Restore drafts/ vs comments/ split: route writes to drafts/ #6: Introduces the drafts/.md workflow for proposed replies that this PR follows.
• [claude-hackernews] Switch HN automation to drafts-only mode #2: Establishes the drafts-only workflow structure that this draft adheres to.
• [claude-hackernews] Reconcile drafts/ vs comments/ split; add cron no-op alert #4: Earlier PR that modified the drafts-vs-comments workflow; this PR adds a new draft under the current workflow regime.

Poem

🐰 A draft takes shape in timestamps bold,
With intent-gating tales untold,
Reply and insight, notes so neat—
The Show HN reply's almost complete! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main change: adding a reply draft for a Hacker News Show HN item about Bhatti, with clear focus on VM-per-agent and in-guest intent-gating as the technical angle.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Review rate limit: 4/5 reviews remaining, refill in 12 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}