I think sandboxes are useful, but not sufficient. The whole agent runtime has to be designed to carefully manage I/O effects--and capability gate them. I'm working on this here [0]. There are some similarities to my project in what IronClaw is doing and many other sandboxes are doing, but i think we really gotta think bigger and broader to make this work.
I’m building AgentOS [1], trying to experiment where agent substrates/sandboxes will head next. It's a deterministic, event-sourced runtime where an “agent world” is replayable from its log, heavy logic runs in sandboxed WASM modules, and every real-world side effect (HTTP, LLM calls, code compilations, etc.) is explicitly capability-gated and recorded as signed receipts. It ensures that upgrades and automations are auditable, reversible, and composable. The fun bit is a small typed control-plane intermediate representation (AIR) that lets the system treat its own schemas/modules/plans/policies as data and evolve via a governed loop (propose > shadow-run > approve > apply), kind of “Lisp machine vibes” but aimed at agents that need reliable self-modification rather than ambient scripts.
Thanks! NixOS is great at building and configuring systems, while AgentOS is about running and governing long-lived, deterministic agent worlds. They share ideas like immutability and declarative state, but they operate at different layers. I would say if NixOS is about reproducibly constructing a system, AgentOS is about reproducibly operating one: tracking decisions, effects, and evolution over time.
I came to the same realization a while ago and started building an agent runtime designed to ensure all (I/O) effects are capability bound and validated by policies, while also allowing the agent to modify itself.
Thanks! Just looked at Agent OS. Love the 'Signed Receipts' concept in your AIR spec.
We reached the same conclusion on the 'Ambient Authority' problem, but I attacked it from the other end of the stack.
Tenuo is just the authorization primitive (attenuating warrants + verification), not the full runtime. The idea is you plug it into whatever runtime you're already using (LangChain, LangGraph, your own).
I'm currently in stealth-ish/private alpha, but the architecture is designed to be 'userspace' agnostic. I’d love to see if Tenuo’s warrant logic could eventually serve as a primitive inside an Agent OS process.
I'll shoot you a note. I would love to swap notes on the 'Capabilities vs. Guardrails' implementation details.
Eternal Vault is interesting. I would for sure use something like this. However, only if there is a strong story how the vault will survive 20+ years, even if your company is defunct. I do see the pieces scattered around the website (backup to Dropbox, etc), but this story needs to be front and center.
Hi Luke, thanks for the feedback. Will be working on improving the marketing site to share the story in better way, any other feedbacks are also appreciated.
Lastly, would love for you to give the platform a try at https://dash.eternalvault.app/register
AgentOS is a lisp-machine inspired runtime where agents can safely propose, simulate, and apply changes to their own code, policies, and workflows, all under governance, with full audit trails. Every external action produces a signed receipt. Every state change is replayable from an event log.
It actually took me quite a long time to learn this about myself. I do need a base-line of pressure to get the juices flowing. If pressure falls below base-line, my productivity tanks.
I'm also just starting to learn how to deal with the downside for my family. It's hard. I can very much relate to the yo-yo.
[0] https://github.com/smartcomputer-ai/agent-os/
reply