Series E · Blue Team · Verify The Box

The Sandbox Audit

an auditor's instrument · check each layer · score the box

A working verification checklist for agent containment. For each layer, tick the checks the sandbox actually passes — the instrument scores each layer sound or decorative and gives an overall verdict. Use it to assess a real sandbox: the question is never "does it claim to be safe" but "which of these does it actually do."

0/24
checks passed · 0/6 layers sound
begin the audit

The Defensive Deep-Dive · sound vs decorative, per layer

1 · Capability Restriction

Sound: allowlist — expose only specific tools; unlisted capabilities don't exist in the agent's world (default-deny).
Weak: denylist — "we block dangerous functions." Denylists always miss something.

Check: can you enumerate the complete capability set on paper? Are grants logged and revocable from outside?

2 · Network Isolation

Sound: no egress route exists at the network layer; default-deny with explicit allowlisted destinations; DNS, sockets, and timing side-channels all covered.
Weak: URL filtering inside the sandboxed process — the contained thing enforcing its own containment.

Check: is the enforcement point outside the process being contained?

3 · Filesystem Boundary

Sound: a true isolation primitive (namespace / container / VM) where the rest of the disk simply isn't in the agent's view.
Weak: path-string matching to block "bad" paths — symlinks and traversal leak through it. The classic boundary failure.

Check: is scratch space wiped between runs? Are symlinks and shared mounts accounted for?

4 · Frame / Origin Isolation

Sound: enforced by the platform (browser sandbox attribute, OS process isolation); the parent enforces, doesn't assume; cross-boundary channels validated both ends.
Weak: trust based on "the child shouldn't do that" rather than "the child can't."

Check: name the isolation primitive. If you can't name it, it isn't one.

5 · Resource Limits

Sound: hard quotas enforced by the platform (cgroups / VM / wall-clock), failing closed; CPU, memory, time, and I/O all bounded; watchdog outside the sandbox.
Weak: limits checked cooperatively by the contained process — same flaw as network filtering inside.

Check: does exhaustion halt cleanly, or degrade into something dangerous?

6 · Audit / Witness

Sound: logging at the boundary, outside the sandbox, somewhere the contained process can't reach or alter; append-only / tamper-evident; captures attempts, not just successes; actually reviewed.
Weak: logs the sandbox can edit, or logs nobody reads — a witness that can be silenced or ignored isn't a witness.

Check: who or what is watching the log? A witness no one consults is decorative.

THE ONE PRINCIPLE UNDER ALL SIX:
the contained thing must never enforce its own containment.
every weak signal above is a version of that single error.
sound = enforced from OUTSIDE · default-deny · witnessed by something the contained thing can't touch.
a boundary enforced by the inside is not a boundary — it's a request.

The auditor's one-line test for any layer: "Is it enforced from outside the contained thing, default-deny, and witnessed by something the contained thing can't touch?" Three yeses → sound. Any "the process checks itself" → decorative. This is the exterior-witness principle: a system can't contain itself; the boundary contains it; and the boundary must be outside what it contains, or it's theater.

6 LAYERS · 24 CHECKS · SOUND = ENFORCED FROM OUTSIDE, DEFAULT-DENY, WITNESSED BY THE UNTOUCHABLE
THE CONTAINED THING MUST NEVER ENFORCE ITS OWN CONTAINMENT · WEAK SIGNALS ARE ALL THAT ONE ERROR
A BOUNDARY ENFORCED BY THE INSIDE IS NOT A BOUNDARY — IT'S A REQUEST · THE WITNESS MUST BE EXTERIOR
THE SANDBOX AUDIT · A PURPLE PAPER · SERIES E · JUNE 2026