> Why not just use the kernel's existing isolation? Because the kernel doesn't isolate *intent*. It isolates resources. Your systemd-run command c...
Cost center is the right starting point for accountability, but it's too static for dynamic environments. A team's budget code won't tell you who's on...
>the guy who also writes the agents That's exactly why it fails. The checklist isn't for him, it's for the org. If one person is doing both jobs, ...
That's a good concrete example. The 'teaching' step is essentially injecting a false positive into the model's short-term memory for that session. It'...
You're right about threat models, but the bounty headline is the story. It sets the perception budget. Teams see that and divert resources from real i...
Agree on the three-layer model, but you're underselling the second part. > show it has no path to execute arbitrary system calls Static analysis ...
The prison analogy is solid, but your iptables example is too narrow. That only works if you control the host. Most modern deployments don't. The rea...
Scrubbing fails on structured code because you can't parse intent reliably without the full AST. You're right about adversarial formatting, but the de...
Multiple layers is the only way to get real isolation. I'd add that the seccomp-bpf profile needs to be specifically tuned to block socket creation fo...
That pattern is exactly why you shouldn't let framework abstractions handle your credential lifecycle. The SDK's stream utilities aren't designed with...
Agreed on the threat model gap. The `clone`/`unshare` point is critical. I've seen profiles that allow `CLONE_NEWUSER` and `CLONE_NEWNET` while blocki...