Sandboxes and Execution Controls
Injection will succeed (ASI07). The agent will be coerced into running code. The sandbox is the layer that decides whether that means a confused log line or a reverse shell on your jump host. The blast-radius principle: assume the sandbox will be escaped, and design so an escaped sandbox still has no credentials and no network.
The sandbox is the last line of defense, and it is software — it will be escaped. The naive goal of 'harden the sandbox so it cannot be escaped' is wrong; the correct goal is the blast-radius principle: assume escape succeeds, and design so an escaped sandbox has no credentials (IronCurtain's fake-key swap) and no network (the namespace's default-deny survives escape). The escape becomes a detected-and-killed anomaly, not an incident.
Four attack vectors define the sandbox threat surface, and default-deny network egress is the most under-applied control. Vector 1 (escape) reaches the host via a provider bug; vector 2 (egress) exfiltrates data, callbacks to a C2, or SSRFs the cloud metadata service; vector 3 (ASI09) weaponizes unbounded resource use to fail-OPEN by OOM-killing the monitor; vector 4 (sidecar) suborns a privileged helper. Operators fixate on the filesystem mis-scope that coughs up the secret and ignore the network that carries it out — default-deny contains the larger class of outcomes.
Execution policies must be allowlists, compiled deterministically, with zero LLM at runtime. Denylists fail on the unbounded space of 'commands you didn't think of.' Per-tool execution scopes close cross-tool command injection. The IronCurtain model compiles plain-English policy to deterministic JSON rules offline (with verify-and-repair) and enforces with pure if/then matching at runtime — security-critical runtime decisions must be deterministic. CrabTrap's LLM-as-judge answers the semantic egress question probabilistically ON TOP of the network-layer default-deny; it does not replace it.
The cloud metadata service (169.254.169.254) is a must-block special case. It hands out instance credentials to anything that reaches it — a sandboxed agent that reaches metadata steals the host's cloud role, far worse than a local secret read. Default-deny blocks it for free; an allowlist that does not list it blocks it for free; an LLM-judge-only model is one prompt injection away from failing to block it. Block the metadata service at the network layer, always.