Agentbox

What it is

Agentbox runs autonomous agents on your real machine behind a local approval gate. When an agent reaches for something dangerous, Agentbox intercepts the command, asks you to approve it, and only then lets it run.

The problem it solves

People run agents on their own machines, then buy separate hardware the moment they stop trusting those agents with local files, credentials, browser state, cloud CLIs, or production repos. The choice today is binary: full trust, or full isolation somewhere else. Agentbox makes the middle ground available locally, as software.

How it works

Compiled shims sit in your PATH and intercept around twenty eight dangerous commands (rm, git, ssh, curl, psql, chmod, scp, and more). Each call goes over a Unix socket to a daemon, which classifies it through a deterministic policy engine into allow, approve, or block. Approvals are sent as a phone notification over ntfy; the command runs only if you respond within the timeout. Every decision is written to a SHA-256 hash chained SQLite audit log, with secrets redacted before storage.

Where it fits

Agentbox is the local execution boundary for coding and ops agents. It is the host side counterpart to policy systems like Sardis and FIDES: they decide whether an action is permitted in the abstract, Agentbox enforces it on the machine where the command actually runs.

Status

The v0.1 control loop (shim, daemon, policy, ntfy approval, audit) is working and tested. The broader roadmap (managed pods, remote workers, OS level sandboxing) exists as typed stubs and is not yet wired into the running daemon.