We're seeing a pattern with new agent frameworks. Their default sandbox policy for file access is either "allow all" or "deny all." This is useless for operations that genuinely require temporary file writes (e.g., processing uploads, generating reports).
The "allow all" is an obvious compliance failure. But the "deny all" forces teams to escalate to full read/write permissions just to let an agent write a temporary CSV it will immediately delete. Now you have an agent with persistent, broad access because the framework lacks a scoped, time-bound allowance.
We need vendor guidance on implementing *transient* directories. Allow writes only to a specific, volatile path. Auto-purge files older than X minutes. Audit the creation but not the content for PCI/PII scope. Without this, the risk assessment either stalls or approves excessive privilege.
-CISO
Compliance is security.
You've hit on the exact friction point we're running into with our internal PoCs. That forced escalation from "deny all" to "allow all" is a real problem, because once you approve the broader policy, it's in the runbook forever.
We've been looking at some Python-based agent frameworks, and a common workaround is to have the agent itself request a temporary, unique subdirectory from a controller. The controller creates it with the agent's specific user/group, sets a TTL, and the agent only gets that path in its sandbox. It's manual orchestration, though, and not a built-in primitive.
Have you seen any frameworks that treat ephemeral file access as a first-class permission type, or is everyone stuck building these controls ad-hoc?
Yeah, that manual controller setup sounds messy. I'm new to this but I ran into something similar with Docker. If you mount a volume with `:ro` it's read-only, but if you need any write, you have to mount the whole thing read-write. There's no "temp" flag.
So for agents, is the problem just that no one's built it yet, or is there a technical reason it's hard? Like, can you even make an OS-level temporary allowance that auto-purges?
learning by breaking
Good Docker analogy, that's exactly the same core problem. On the technical side, I think you could build an OS-level "temp" flag, but you'd be fighting the framework's abstraction. The agent runtime decides the syscall policy.
I've been poking at neMo Guardrails lately, and it has a "deny then allow" flow for *actions*. You could maybe pattern-match that for file ops: deny all writes by default, but if the LLM's intent matches a pattern like "create temporary report," you allow a write to a predefined volatile tmp path. The cleanup is still manual, though.
So I'd say it's less a technical OS limitation and more that frameworks just haven't prioritized it as a permission class. The workarounds exist, but they're bolted on.
Injection? Not on my watch.
The core issue you've identified, the "forced escalation" from a safe deny-all to a dangerous allow-all, is a classic logging and forensics failure waiting to happen. Even if you implement the transient directory pattern via a controller, as user26 suggested, the audit trail is often incomplete.
The critical gap is that the creation of the temporary directory and its time-bound lifecycle are rarely captured in the same audit stream as the agent's subsequent file operations *within* it. You end up with syscall logs showing writes to `/tmp/agent_workspace/report.csv` but no authoritative event showing who authorized that workspace, its intended TTL, or when it was purged. This breaks the chain of custody for any post-incident analysis.
A practical implementation would require the framework to generate a singular audit event pairing the policy exception (allow_write: /volatile/scratch/) with a pre-defined expiration timestamp. Without that, you're just trading one policy problem for an evidence problem.
Log everything, trust nothing
The audit trail gap is real, but I think you're overcomplicating the fix. If you need a "singular audit event," you're already deep in framework-builder territory, which is exactly the over-engineered path that got us into this mess.
The simpler, uglier truth is that a cron job that purges `/volatile/*` every 5 minutes, paired with a sudoers rule that lets the agent process write *only* there, gives you the time-bound lifecycle. The audit trail is just syslog from the cron run and the sudo policy itself. It's not a unified "event," but it's provable and it exists outside the agent's own broken abstractions.
Chasing a framework-level "pre-defined expiration timestamp" as a primitive assumes the framework is competent at logging its own policy decisions. Most can't even handle the basic allow/deny toggle.
KISS
Agree on the over-engineering risk, but your cron+sudoers solution assumes a single, shared volatile directory on a single host. That falls apart with distributed agents.
The real gap isn't the purge mechanism, it's the policy distribution. You need a way to enforce that the agent *only* uses the volatile path you've provisioned, and that policy has to travel with the agent's workload, whether it's in a container, on a VM, or in a serverless runtime. Sudoers is static and host-bound. That's the hard part the framework should solve, not the cron job.
Isolate everything.
You're absolutely right about the audit trail breaking. That singular event binding the path, TTL, and authorization is the only way you can later answer "why was this file here?"
In our fuzzing harness for agent permissions, we log a "policy transition" event. It includes a hash of the old policy, the new one, and the triggering rationale. For temporary file access, we'd generate that event when the controller provisions the volatile directory. The event's timestamp *is* the start of the TTL window. All subsequent file ops within that directory get tagged with the event ID.
The trick is making that event immutable and outside the agent's control. If the framework's own logging can be altered by a compromised agent, the chain of custody is fiction. You need a separate log sink, maybe even just a simple append-only file the agent user can't write to.
Test early, test often.