▣ The Defensive Deep-Dive · sound vs decorative, per layer
1 · Capability Restriction
Sound: allowlist — expose only specific tools; unlisted capabilities don't exist in the agent's world (default-deny).
Weak: denylist — "we block dangerous functions." Denylists always miss something.
Check: can you enumerate the complete capability set on paper? Are grants logged and revocable from outside?
2 · Network Isolation
Sound: no egress route exists at the network layer; default-deny with explicit allowlisted destinations; DNS, sockets, and timing side-channels all covered.
Weak: URL filtering inside the sandboxed process — the contained thing enforcing its own containment.
Check: is the enforcement point outside the process being contained?
3 · Filesystem Boundary
Sound: a true isolation primitive (namespace / container / VM) where the rest of the disk simply isn't in the agent's view.
Weak: path-string matching to block "bad" paths — symlinks and traversal leak through it. The classic boundary failure.
Check: is scratch space wiped between runs? Are symlinks and shared mounts accounted for?
4 · Frame / Origin Isolation
Sound: enforced by the platform (browser sandbox attribute, OS process isolation); the parent enforces, doesn't assume; cross-boundary channels validated both ends.
Weak: trust based on "the child shouldn't do that" rather than "the child can't."
Check: name the isolation primitive. If you can't name it, it isn't one.
5 · Resource Limits
Sound: hard quotas enforced by the platform (cgroups / VM / wall-clock), failing closed; CPU, memory, time, and I/O all bounded; watchdog outside the sandbox.
Weak: limits checked cooperatively by the contained process — same flaw as network filtering inside.
Check: does exhaustion halt cleanly, or degrade into something dangerous?
6 · Audit / Witness
Sound: logging at the boundary, outside the sandbox, somewhere the contained process can't reach or alter; append-only / tamper-evident; captures attempts, not just successes; actually reviewed.
Weak: logs the sandbox can edit, or logs nobody reads — a witness that can be silenced or ignored isn't a witness.
Check: who or what is watching the log? A witness no one consults is decorative.
THE ONE PRINCIPLE UNDER ALL SIX:
the contained thing must never enforce its own containment.
every weak signal above is a version of that single error.
sound = enforced from OUTSIDE · default-deny · witnessed by something the contained thing can't touch.
a boundary enforced by the inside is not a boundary — it's a request.
The auditor's one-line test for any layer: "Is it enforced from outside the contained thing, default-deny, and witnessed by something the contained thing can't touch?" Three yeses → sound. Any "the process checks itself" → decorative. This is the exterior-witness principle: a system can't contain itself; the boundary contains it; and the boundary must be outside what it contains, or it's theater.
6 LAYERS · 24 CHECKS · SOUND = ENFORCED FROM OUTSIDE, DEFAULT-DENY, WITNESSED BY THE UNTOUCHABLE
THE CONTAINED THING MUST NEVER ENFORCE ITS OWN CONTAINMENT · WEAK SIGNALS ARE ALL THAT ONE ERROR
A BOUNDARY ENFORCED BY THE INSIDE IS NOT A BOUNDARY — IT'S A REQUEST · THE WITNESS MUST BE EXTERIOR
THE SANDBOX AUDIT · A PURPLE PAPER · SERIES E · JUNE 2026