AI + Tools

Bubblewrap for LLMs: Why YOLO Defaults Lose

5 min read

Every AI coding agent ships with a dangerous assumption baked into its defaults: full filesystem access, full network reach, and permission to read every environment variable your shell knows. That works at hackathon speed and fails the moment you handle client IP, biotech sequences, or government data.

The fix is mundane: bubblewrap sandboxes, container jails, --no-tools modes, and tmpfs $HOME. The interesting question is not whether sandboxing works. It does. The question is why teams resist the discipline when the alternative is handing a foreign agent the keys to their .ssh directory.

The YOLO Default Problem

Run a coding agent like pi, Claude Code, or Codex straight from your terminal and it inherits everything your shell can see. Your $HOME, your AWS credentials in ~/.aws/, your SSH keys, your entire development history. The agent can read your Git config to discover your personal email, scan your shell history for API endpoints, and exfiltrate anything you have permission to read, all in the service of writing a Python function.

Most people accept this because they have never seen an alternative. Consider the difference between running pi directly versus using it through a sandbox wrapper like pi-bwrap-rw:

# Direct invocation. Gives pi everything.
pi "refactor this authentication module"

# Sandboxed invocation. Gives pi only what it needs.
pi-bwrap-rw --share-net --clearenv \
  --setenv=OPENAI_API_KEY="$OPENAI_API_KEY" \
  pi "refactor this authentication module"

The first command hands the agent your entire development environment. The second drops it into a bubblewrap jail with a tmpfs $HOME, no access to your SSH keys or project history, and only the specific environment variables you explicitly allow.

The Numbers Don’t Lie

A working sandbox wrapper adds about 50 lines of shell to any agent CLI. The performance cost is approximately zero. Here is what a production pi-bwrap-rw wrapper does:

#!/usr/bin/env bash
bubblewrap --ro-bind /usr /usr \
           --ro-bind /lib /lib \
           --ro-bind /lib64 /lib64 \
           --tmpfs "$HOME" \
           --dev /dev \
           --proc /proc \
           --unshare-all \
           --share-net \
           --clearenv \
           --setenv PATH "/usr/bin:/bin" \
           --setenv OPENAI_API_KEY "$OPENAI_API_KEY" \
           --setenv ANTHROPIC_API_KEY "$ANTHROPIC_API_KEY" \
           "$@"

That is it. A tmpfs $HOME means any files the agent creates vanish when the session ends. --clearenv strips all environment variables except the ones you explicitly allow. --share-net gives network access for API calls, but only after the sandbox is established. The runtime overhead is milliseconds. The security benefit is complete isolation from your host environment.

Why Regulated Environments Won’t Accept YOLO

Biotech R&D teams and federal contractors cannot afford to expose their data. Not because of negligence, but because the consequences are existential. A biosequence that accidentally leaks into a third-party provider’s logs could invalidate your IP protection. Government contract data that passes through an unvetted pipeline triggers compliance violations that can destroy a company overnight.

The conversation shifts from security objection to sales opportunity when you can say, “We sandbox by default.” It tells clients you understand that their IP is their moat, that compliance is not optional, that audit trails matter. It demonstrates you have thought beyond the shiny AI capabilities to the boring work of protecting what makes their business defensible.

I have seen this firsthand. When clients learn that my consulting workflows run inside container sandboxes with restricted filesystem access and controlled network egress, the security conversation ends and the value conversation begins. The discipline is not a constraint. It becomes a selling point.

The Capability vs. Discipline Trade-Off

The AI-tools discourse argues about capability: more tools, more filesystem access, more environment variables, more power. The argument seduces because it maps cleanly to developer expectations. If I can do it, the AI should be able to do it too.

But that argument breaks in production. The most valuable AI tools in regulated environments are not the ones with the most capability. They are the ones with the most constraints. A coding agent that can only read the files you allow is one you can use on valuable codebases. An agent that requires full filesystem access is one you keep confined to toy projects.

The pattern repeats across AI tooling. Data-analysis agents that can query your production database are academic curiosities. Agents that operate on specifically provisioned and sanitized datasets are the ones companies deploy. The boring discipline of explicit data contracts turns AI from a security risk into a business enabler.

Why Teams Resist

Teams resist sandboxing for three reasons, none of which survive scrutiny.

Perceived startup friction. Installing bubblewrap or configuring a container wrapper feels like extra setup work. It is, but it is one-time work. The alternative is manually managing secrets and sanitizing environments continuously.

The “but it breaks my workflow” objection. Some developers point to IDE integrations, custom Git hooks, or shell aliases that do not work inside a sandbox. The solution is not to abandon sandboxing. It is to fix the workflow: make your tools sandbox-aware, not your environment permissive.

The illusion of control. Teams believe they can audit what an AI agent accesses. They cannot. The agent operates through opaque API calls, tool definitions you cannot fully inspect, and context windows that hide exactly what is being sent upstream. Sandboxing is your only reliable boundary.

The Discipline Pays Dividends

Once you adopt sandboxing as a default rather than an exception, the second-order benefits start to show. Your security posture becomes predictable because every agent runs in the same restricted environment. The audit trail becomes meaningful because you can say with certainty that no agent accessed credential files. Compliance becomes demonstrable through container policies that visibly isolate development from production.

These benefits compound. Security review drops from weeks to hours. Onboarding accelerates because the environment is already constrained. Confidence in using AI tools on valuable work goes up because you know the blast radius is bounded.

The harder thing to capture in a metric is what changes about your relationship with clients and stakeholders. You move from justifying why you did not secure their data to demonstrating how you secured it by design. That is not just a technical decision. It is a business differentiator.

The bubblewrap is the receipt that you have actually thought about who can read your .ssh directory.

Continue Reading

AI + Tools

Memory Is a Snapshot, Not a Source of Truth

Your AI's memory is a snapshot of what was true at some past moment. The code, the file paths, the function names, the flags all move. The memory does not. Verifying a recalled fact before acting on it is the cheapest discipline in the toolkit and the one that gets skipped most often.

 AI + Tools

Web-Search Seed, Local Synthesis

If your LLM needs current web data but you can't give it internet access, the answer is not to find an LLM with internet access. It is to separate retrieval from synthesis. The retrieval phase has internet. The synthesis phase has the data. Neither phase has both.

 AI + Tools

The Syntax Tax

Enterprise and scientific software has a long tail of capability most teams never reach because it is locked behind syntax. AI coding assistants change where in the workflow that translation happens.