Jai launches casual, strict, and bare sandbox modes for AI agents

• Stanford's jai launch introduces a lightweight Linux sandbox for AI agents with three modes: “casual” for a copy-on-write home overlay, “strict” for an unprivileged user with an empty home, and “bare” for a hidden home directory.
• The project page positions jai as “easy containment for AI agents,” not a full container replacement, and says it limits writes outside the working directory while isolating PID and temp namespaces.
• In the accompanying Hacker News discussion, practitioners mapped the same idea onto existing agent tools, including a Claude Code config that allows read/write on . while denying ~/ and /.
• The thread highlights also sharpened the threat model: users called out persistent paths an agent could poison and later get executed, including “.pyc,” “.venv,” and Git hook files, while others described diff-and-apply container workflows to keep agent changes reviewable.

Jai packages a tighter default boundary around local coding agents with a one-command Linux sandbox aimed at filesystem containment rather than full VM- or container-level replacement. The launch page says “casual” keeps your home available through a copy-on-write overlay, “strict” runs as an unprivileged user with an empty home, and “bare” hides home entirely. Across modes, the design centers on limiting writes outside the current working directory and giving the process private PID and temp space.

That maps closely to how developers are already hardening agent runs. In the HN discussion, one practitioner shared a Claude Code sandbox policy that sets allowRead and allowWrite to . while denying ~/ and /, which is the same narrow-scope pattern in tool-specific form. Another commenter said there are “all kinds of files” an agent could write and later get executed, including “.pyc,” “.venv,” and Git hooks risk thread, which explains why simple write restrictions matter even when an agent is only supposed to touch a repo.

The thread also showed where teams may go further than jai's built-in model. One workflow runs the agent in Docker, then surfaces a unified diff for review before apply, with reset to discard the session diff workflow. A separate supporting post argued safety rules should live in a proxy layer the agent “can't touch,” not only in the prompt context proxy-layer tip. Together, the early reaction frames jai less as a brand-new security model than as a simpler entry point into the containment patterns operators were already piecing together by hand.