What an Agent CAN Do
What an Agent CANNOT Do
The Defense Layers in Detail
Layer 1: Docker Isolation
Each agent runs in a separate Docker container. The container has no access to:- Host environment variables (no leaked API keys)
- The host filesystem (no
~/.ssh, no~/.aws) - Other agents’ containers
Layer 2: Read-Only Mounts
Tool binaries and packages are mounted read-only into the sandbox. Even if an agent tries to modify a tool, it can’t. The only writable location is/workspace.
Layer 3: Socket Identity
The gateway assigns one Unix socket per agent. When a tool call arrives, the gateway knows which agent sent it from the connection itself — not from anything in the payload. An agent cannot forge its own identity.Layer 4: Policy Engine
The gateway maintains an explicit allowlist of tools per agent. Tool calls for tools not on the list are denied before execution. The default is deny — an agent with an emptytools array can call nothing.
Layer 5: Audit Logging
Every tool invocation is appended to~/.beige/logs/audit.jsonl with a timestamp, agent name, tool name, arguments, and result. The log is append-only — agents cannot modify past entries.
For an even deeper technical dive, see The Gateway → Security Model.
