Andrea Luzzardi from Mendral published a technical analysis arguing that AI agent system architecture should place the agent loop outside the sandbox rather than inside it, challenging the current approach used by tools like Claude Code. The post, which gained 61 points and 49 comments on Hacker News on May 2, 2026, outlines four critical advantages of the outside-sandbox approach for multi-user enterprise systems.
The architectural decision determines where the agent's control loop runs relative to the execution environment. Inside-sandbox architectures run everything in one container with local filesystem access, while outside-sandbox designs run the loop on backend infrastructure and access the sandbox via API.
Four Critical Advantages of Outside-Sandbox Architecture
Luzzardi identifies security as the primary benefit: "Your credentials stay out of the sandbox...There's nothing in there for the agent to escape to." This separation proves critical given research from SandboxEscapeBench showing frontier AI models can escape container environments.
Resource efficiency represents the second advantage. Outside-sandbox architectures allow sandboxes to suspend during thinking, API calls, and CI waits—only activating for command execution. Mendral's implementation using Blaxel achieves 25ms resume latency for suspended sandboxes.
Resilience improves dramatically when sandboxes can be replaced mid-session without losing context. Failed containers become trivial to restart since the agent state lives outside the disposable execution environment.
Shared state becomes manageable: "Multi-user stops being a distributed filesystem problem...this is a shared database." Rather than coordinating filesystem access across concurrent sessions, organizational data routes to Postgres while preserving the filesystem API surface models were trained on.
The Filesystem Virtualization Solution
Modern agent harnesses assume local filesystems for skills and memories. Mendral virtualizes filesystem access through path-based routing: workspace paths (/workspace/*) route to the sandbox, while organizational data (/skills/*, /memory/*) routes to Postgres. This design provides database semantics for shared data while maintaining API compatibility with existing model training.
Industry Context and Security Implications
The AI agent landscape shows massive architectural divergence. OpenAI's upgraded Agents SDK implements Zero-Trust Sandbox Security with full isolation between compute and harness. Anthropic's Claude Code runs the agent loop and execution in shared context, representing the inside-sandbox approach.
Production system data reveals varied security postures: 17% of implementations use full process privileges with no isolation, while 45% use isolated child processes. Container-isolated projects uniformly implement policy engines (100%), suggesting security concerns drive architectural complexity.
Tradeoffs and Implementation Complexity
Luzzardi acknowledges that each approach involves distinct tradeoffs. Inside-sandbox architectures offer simpler execution models and work with off-the-shelf harnesses. Outside-sandbox designs require API-based sandbox access and more sophisticated state management, but deliver superior security, efficiency, and multi-user capabilities.
The debate highlights fundamental questions facing AI agent infrastructure: whether to prioritize simplicity and compatibility or security and scalability. As AI agents move from development environments to production systems handling sensitive enterprise data, these architectural decisions carry increasingly significant consequences.
Key Takeaways
- Andrea Luzzardi from Mendral argues that AI agent loops should run outside sandboxes rather than inside them, offering superior security and multi-user properties
- Outside-sandbox architecture keeps credentials separated from execution environments, preventing escape attacks that SandboxEscapeBench research shows are possible with frontier models
- Resource efficiency improves dramatically as sandboxes suspend during non-execution periods, with Mendral achieving 25ms resume latency using Blaxel
- Filesystem virtualization through path-based routing allows organizational data to use database semantics while preserving the API surface models were trained on
- Industry implementations show divergence: 45% use isolated child processes while 17% use no isolation, with container-isolated projects uniformly implementing policy engines