Every dev should know about AI sandboxes

AI agents with tool access (file systems, APIs, processes) require proper sandboxing to prevent catastrophic mistakes — illustrated by a real incident where Replit's AI deleted a production database. The post explains the isolation stack from weakest to strongest: cgroups/namespaces (Docker), gVisor (userspace kernel used by Anthropic), Firecracker microVMs (used by Vercel and E2B), OS-level primitives like Bubblewrap/Seatbelt (used by Claude Code CLI), and simulated environments. Each layer trades performance for stronger isolation. Vendor options including E2B, Modal, and Daytona are compared. The post also covers the observability gap in agent infrastructure, agent-to-agent complexity, and the evolved threat model where well-intentioned agents confidently doing the wrong thing at scale is now the primary concern.