Series E · Containment From The Defender's Side

The Sandbox Holds

not how it breaks — how it holds, and why

An educational model of agent containment. A simulated agent throws abstract probes at its boundaries — and you watch each containment layer catch them. This teaches the part that matters for evaluating safety: why the box holds. The probes are labeled by class only; no real techniques — every probe is caught, because that's what defense-in-depth does.

◈ defender's view · every probe is contained · no exploit content
// audit log — every probe recorded at the boundary

§1 · The Six Layers (defense-in-depth)

LayerCatches (probe class)Why it holds
Capability Restrictionrequests for a tool/permission never grantedthe agent can only call what was handed to it; unlisted capabilities don't exist in its world
Network Isolationattempts to reach an outside hostno egress route exists; a call outward has nowhere to go
Filesystem Boundaryaccess outside the allowed scratch spacepaths outside the mount aren't visible; the rest of the disk isn't in reach
Frame / Same-Origin Isolationtouching the parent page or another originthe browser's sandbox attribute walls the frame off — this artifact runs in exactly this
Resource Limitsexhausting CPU / memory / timehard quotas halt runaway work; the agent can't spend past its budget
Audit / Witnesseverything — each probe is loggedan exterior witness records every attempt; observed containment is verifiable containment

§2 · Why The Witness Layer Is The Meta-Guarantee

The first five layers block. The sixth witnesses — and it's the one that turns "we believe it's contained" into "we can verify it's contained." A sandbox with no audit is a claim; a sandbox that logs every boundary-probe is a claim you can check from outside. This is the session's through-line: a closed system can't witness itself; the boundary witnesses it. The audit layer is the exterior gap that makes the whole box provable, not just hopeful.

five layers block (capability, network, filesystem, frame, resource) · one layer witnesses (audit) · the witness is what makes containment verifiable rather than merely asserted. the gap is the proof.

§3 · What This Teaches (and what it doesn't)

This is the defender's model — the thing you need to evaluate whether a sandbox is sound: the layers, what each catches, and why the walls hold. It deliberately shows no escape techniques — the probes are abstract boundary-tests, every one caught. Understanding containment from the defense side is what lets an auditor judge it, a builder design it, and a student learn why the box is a box. The lesson isn't "here's a way out" — it's "here's why there isn't one, and here's how you'd verify that."

SIX LAYERS · FIVE BLOCK (CAPABILITY · NETWORK · FILESYSTEM · FRAME · RESOURCE) · ONE WITNESSES (AUDIT)
EVERY PROBE CAUGHT AND LOGGED · DEFENSE-IN-DEPTH · THE WITNESS MAKES CONTAINMENT VERIFIABLE
DEFENDER'S VIEW · NO EXPLOIT CONTENT · THE LESSON IS WHY THE BOX HOLDS, AND HOW YOU'D CHECK
THE SANDBOX HOLDS · A PURPLE PAPER · SERIES E · JUNE 2026