Multi-user agent platform moved the LLM orchestration loop outside ephemeral sandboxes, solving credential isolation, suspension, and shared memory without a distributed filesystem.
Key Takeaways
Harness-outside model keeps LLM API keys and user tokens off the sandbox entirely, eliminating credential leak surface and removing the need for sandbox-level permission enforcement.
Sandbox lifecycle becomes cheap: using Blaxel for 25ms standby resume, the sandbox suspends during LLM calls and between tool uses, provisioned only when a bash command runs.
Durable execution runs on Inngest; each agent turn is a checkpointed step, surviving rolling deploys and instance failures across multi-hour sessions.
Skills and memories move to Postgres; the harness virtualizes filesystem access by routing paths under /skills/ and /memory/ to the database and workspace paths to the sandbox, keeping the read/write/edit API surface the model was trained on.
Bash is an acknowledged leak in the virtualization layer; tree-sitter parsing and system prompt instructions are best-effort guards, not airtight.
Hacker News Comment Review
Commenters challenged the trust boundary: several argued the harness itself is not a reliable security layer, and a sufficiently capable LLM could encode secrets in work output (steganography in whitespace) regardless of where the harness runs.
tptacek pushed back on the framing, arguing the post presents false dichotomies by assuming sandboxes must be ephemeral and that tokenizing credentials or using a proxy resolves the secrets problem without complex virtualization.
There is broad agreement the architecture is driven primarily by multi-user and server-side product requirements rather than pure security, with louie.ai and Vita AI citing the same outside-harness pattern for shared sessions and scheduled tasks.
Notable Comments
@zmmmmm: argues the harness should not be trusted more than the LLM given how rapidly both are evolving, questioning it as a reliable constraint boundary.
@jdeng: Vita AI solved the filesystem problem differently using E2B sandbox volumes mounted per user and per org, avoiding the virtualization layer entirely.
