AGT Agent Sandbox

This is a fork of toybox that serves as the foundation for jailing LLM agents (starting with opencode, later others) in isolated chroot environments on a Lima VM. The primary purpose is to provide secure execution contexts for AI agents while maintaining security updates from upstream toybox.

Purpose

Jail LLM Agents: Run code-generation and tool-use agents (like opencode) safely in isolated chroot jails
Filesystem Isolation: Agents cannot access the host filesystem or affect other agents' environments
Concurrent Execution: Multiple agents can run simultaneously in separate jails
Security: Track and apply upstream toybox security updates while adding agent-specific tooling

The project is designed to be self-contained within the agt_agent_sandbox/ directory to avoid conflicts with upstream toybox development.

Setup

We use mise for tool management and just as a command runner.

Automatic Setup (Recommended)

If you have direnv and mise installed, simply:

direnv allow
mise trust
mise install

Manual Setup

If you don't use direnv, you can still use the tools via mise:

Install mise
Run commands using mise exec:
```
mise exec -- just lima-up
```
Or add ~/.local/share/mise/installs/just/latest/bin to your PATH after running mise install.

Commands

All lifecycle commands are managed via just:

just lima-up: Create and start the Lima VM.
just lima-shell: Open a shell in the VM.
just lima-clone <new_name>: Clone the current sandbox VM to a new instance.
just lima-stop: Stop the VM.
just lima-delete: Delete the VM.

Snapshots & Rollback

Since this project uses the vz driver on macOS, traditional limactl snapshot commands are currently unimplemented. To preserve a clean state:

Use just lima-clone clean-backup to create a "gold image".
Or use limactl factory-reset agt_agent_sandbox to return to the initial provisioned state.

Testing & Verification

The system includes automated and manual testing procedures to verify agent jailing works correctly:

Automated: Run just lima-verify-run for a complete verification (deploys jails + runs concurrency test)
Manual: See tests/exploratory/manual_jail_test.md for step-by-step procedures to:
- Verify binaries are installed in the Lima VM
- Test chroot jail isolation
- Confirm concurrent execution of multiple agents
- Check filesystem isolation between jails

Name		Name	Last commit message	Last commit date
Latest commit History 5,643 Commits
.github/workflows		.github/workflows
agt_agent_sandbox		agt_agent_sandbox
kconfig		kconfig
lib		lib
mkroot		mkroot
scripts		scripts
tests		tests
toys		toys
www		www
.envrc.example		.envrc.example
.gitignore		.gitignore
AGENTS.md		AGENTS.md
CLAUDE.md		CLAUDE.md
Config.in		Config.in
Justfile		Justfile
LICENSE		LICENSE
Makefile		Makefile
README		README
README.md		README.md
README_agtagentsandbox.md		README_agtagentsandbox.md
configure		configure
dummy		dummy
main.c		main.c
mise.toml		mise.toml
toys.h		toys.h

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

AGT Agent Sandbox

Purpose

Setup

Automatic Setup (Recommended)

Manual Setup

Commands

Snapshots & Rollback

Testing & Verification

About

Uh oh!

Releases

Packages

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

AGT Agent Sandbox

Purpose

Setup

Automatic Setup (Recommended)

Manual Setup

Commands

Snapshots & Rollback

Testing & Verification

About

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Contributors

Uh oh!

Languages

Packages