LASSO

Layered Agent Sandbox Security Orchestrator

A proposal for controlled AI agent usage

A tool that puts coding agents inside locked-down containers with command controls and a full audit trail

March 2026

1 / 10

The concern was real —
agents had too much access

AI Agent
Database
Repo Files
Network
Restricted Commands
An agent recently tried to download database tools to "help" answer a question — exactly the kind of risk that led to the ban.
2 / 10

What if there were a way to control the access?

Before the ban, agents helped us with real work:

  • Investigating bugs by reading the codebase
  • Writing and reviewing code faster
  • Generating boilerplate and documentation
  • Working with repo files (table definitions, views, configs)

The ban made sense — agents shouldn't have access to things they don't need.

What if we could give them access to only what they need and block everything else?

3 / 10

LASSO: 3 Layers of Protection

Even if inner layers have gaps, the outer wall catches everything

Layer 3: Sandbox
Container isolation. Ports closed,
commands blocked. Does not negotiate.
Layer 2: Config
Permission config blocks tools
and shell operators. Hard rules.
Layer 1: Instructions
Agent instructions. Soft guardrails
— the agent should follow these.
Layer 3: Sandbox The Safety Net
Layer 2: Config
Layer 1: Instructions
⚙︎ AI Agent
Docker/Podman
Network rules, port blocking,
command whitelist. Audited.
opencode.json
Blocks sqlcmd, curl, rm,
shell operators. Auto-generated.
AGENTS.md
"Do not access databases."
Generated from security profile.
Database Blocked
🗄︎
Network Blocked
🌐
⚠︎
Dangerous Commands Blocked

LASSO configures all 3 layers with one command, monitors them from a dashboard, and logs everything.

4 / 10

What Gets Blocked — Concrete Examples

Action Layer 1 — Instructions Layer 2 — Config Layer 3 — Sandbox
Access SSMS database [WARN] Agent told not to [BLOCKED] sqlcmd blocked [BLOCKED] Port 1433 blocked
Read repo source code [OK] Allowed [OK] Allowed [OK] Allowed
Run Python scripts [OK] Allowed [OK] Allowed [OK] Allowed
curl external API [WARN] Agent told not to [BLOCKED] curl restricted [BLOCKED] Network blocked
rm -rf / [WARN] Agent told not to [BLOCKED] rm blocked [BLOCKED] Command blocked
Read git log [OK] Allowed [OK] Allowed [OK] Allowed (audited)

Green rows = safe actions that still work  ·  Red-tinted rows = blocked at multiple layers

5 / 10

Every action is logged and tamper-evident

LASSO Audit Log showing timestamped events with blocked commands highlighted in red and HMAC signatures
Timestamps on every action
Blocked commands highlighted
HMAC signatures detect tampering
If anything unexpected happens, we know exactly what, when, and who.
6 / 10

Real-time monitoring of all sandboxes

LASSO Dashboard showing sandbox overview with active sandboxes, commands executed, and commands blocked
All active sandboxes at a glance
Commands executed vs blocked
Stop any sandbox instantly
7 / 10

Demo

LASSO Demo — strict profile Ready
8 / 10

Setup could be straightforward

pip install lasso
lasso auth login
lasso init --profile strict --agent opencode
lasso create strict --dir .

Minimal setup — Podman is already on our machines.

No infrastructure changes needed. We may need to check if pip install works on our machines, or ask IT for a one-time setup.
9 / 10

3 layers of protection —
could we try this on a small scale?

A small proposal: Could we test this with 2 people for a week, then review the audit logs together? If we're not comfortable with the results, we stop.

Questions?

10 / 10

Keyboard Shortcuts

Next slide Space
Previous slide
First slide Home
Last slide End
Overview mode Esc
This help ?
Close overlay Esc ?
Built by ClawWorks — myclawhub.com