The editorial argues that the security model of most AI coding agents is 'nonexistent' — agents inherit full user permissions including access to SSH keys, .env files, and production credentials. We spent decades building layered security and then handed an unpredictable, non-deterministic system the keys to everything.
The jai project page explicitly warns that people are already reporting lost files, emptied working trees, and wiped home directories. The tool's tagline 'Don't YOLO your file system' frames the current practice of giving AI agents unrestricted access as reckless.
The jai tool is specifically designed to provide 'effortless containment' that restricts file read/write/execute permissions without the overhead of full containerization. This reflects a design philosophy that security adoption depends on low friction — developers won't use Docker or VMs for every AI coding session.
The editorial emphasizes that the impetus for jai is 'grimly concrete,' citing a specific recurring pattern: users ask agents to clean up a project directory, the agent interprets instructions broadly enough to rm -rf something irreplaceable, and the files aren't recoverable because they were deleted via terminal commands with full permissions.
The jai project page documents that developers are already reporting concrete incidents — lost files, emptied working trees, and wiped home directories. The quote 'It's not in trash; it was done via terminal' underscores that these deletions are unrecoverable through normal means.
A Stanford computer science professor has released jai, a containment tool designed to sandbox AI coding agents on Linux, responding to a growing pattern of AI tools accidentally destroying users' filesystems. The tool, hosted at jai.scs.stanford.edu, provides lightweight isolation that restricts what files an AI agent can read, write, and execute — without the overhead of full containerization.
The impetus is grimly concrete. Developers are reporting lost files, emptied working trees, and wiped home directories after giving AI coding tools ordinary machine access. One frequently cited pattern: a user asks an agent to clean up a project directory, and the agent interprets the instruction broadly enough to `rm -rf` something irreplaceable. The files aren't in trash. They were deleted via terminal commands the agent executed with the user's full permissions.
The Hacker News discussion (311 points) turned into equal parts horror-story thread and practical mitigation workshop, with developers sharing their own close calls and workarounds.
The security model of most AI coding agents today is, to put it plainly, nonexistent. When you run an agent that can execute shell commands, it inherits your user's full permissions. Every file you can read, it can read. Every file you can delete, it can delete. Every secret in your home directory, every SSH key, every `.env` file with production credentials — all of it is one hallucinated `cat` command away from exfiltration and one hallucinated `rm` away from destruction.
We spent decades building layered security — least privilege, sandboxing, mandatory access controls — and then handed an unpredictable, non-deterministic system the keys to everything because it writes good code sometimes. As one commenter put it: "We've been securing our systems in all ways possible for decades and then one day just said: oh hello unpredictable, unreliable, Turing-complete software that can exfiltrate and corrupt data in infinite ways."
The failure mode isn't malice. It's the intersection of broad tool access and probabilistic reasoning. An agent doesn't need to be adversarial to be destructive. It just needs to misinterpret scope. "Clean up the build artifacts" becomes "delete everything that looks temporary" becomes goodbye, working tree. The agent is doing exactly what it was designed to do — execute commands confidently — it just drew the wrong boundary around what "clean up" means.
What makes jai notable is that it was hand-implemented by someone with decades of C++ and Unix/Linux experience, not vibe-coded into existence. The irony wasn't lost on the community — the project's website was apparently built with AI assistance, but the tool itself is carefully engineered systems code. That distinction matters when the tool's job is to be the last line of defense between an AI and your filesystem.
Three practical approaches emerged from the community discussion, each with different tradeoffs:
Dedicated containment tools (jai). The new entrant. Jai wraps agent processes in filesystem-level containment on Linux, restricting read/write access to specified paths. It's more convenient than manual isolation and more targeted than a full VM. The limitation: Linux-only, and it's new software solving a trust problem, which means you're trusting jai's implementation to be more reliable than the agent it's containing.
Application-level sandboxing (Claude's settings.json). Several developers pointed to Claude Code's built-in sandbox configuration, which lets you scope filesystem access declaratively. A practical config locks reads and writes to the current directory while explicitly denying access to the home directory and root filesystem. This is the lowest-friction option if you're already in the Claude ecosystem, but it depends on the agent runtime honoring the restrictions — it's an application-level policy, not an OS-level enforcement.
Separate Unix user. The old-school approach: create an `agent` user, run your AI tools under that account, and rely on Unix permissions to prevent cross-user access. You can add your own user to the agent's group for read access to its output. It's the least sophisticated solution and arguably the most robust, because it relies on permission boundaries that have been battle-tested for fifty years. The downside is workflow friction — you're constantly switching contexts or setting up tooling to bridge the user boundary.
Notably absent from this conversation: Docker. Running agents in containers would solve most of these problems, but the developer experience overhead is significant enough that almost nobody actually does it for day-to-day coding agent use. The gap between "theoretically you should containerize everything" and "I just want to ask the agent to refactor this module" is where all the filesystem casualties happen.
If you're using AI coding agents with terminal access — and in 2026, most of us are — you need a containment strategy that isn't "hope it doesn't delete anything important."
The minimum viable approach: restrict your agent's filesystem access to the project directory. Whether you do this via jai, application-level config, or Unix permissions depends on your operating system and toolchain, but the principle is the same. An agent should never have write access outside the repository it's working on, and it should never have read access to your home directory, SSH keys, or credentials.
For teams, this is worth codifying. Add agent sandbox configuration to your repository's setup docs alongside your `.editorconfig` and linting rules. If your team is running agents against shared infrastructure — staging servers, CI runners — audit what permissions those agents actually have versus what they need. The blast radius of a hallucinated `rm -rf /` on a CI runner is a different conversation than on a developer laptop, but neither is one you want to have after the fact.
Backups are not a substitute for containment, but they're a necessary complement. If you don't have automated, tested backups of your development environment, the question isn't whether an AI agent will cost you work — it's when.
The jai release is a symptom of a maturing ecosystem. The first wave of AI coding tools optimized for capability — what can the agent do? The second wave is now optimizing for safety — what should the agent be *prevented* from doing? Expect every major agent runtime to ship with filesystem sandboxing as a default within the next year. The developers who set up containment now are the ones who won't have a war story to share on Hacker News later.
I am still amazed that people so easily accepted installing these agents on private machines.We've been securing our systems in all ways possible for decades and then one day just said: oh hello unpredictable, unreliable, Turing-complete software that can exfiltrate and corrupt data in infinite
This looks great and seems very well thought out.It looks both more convenient and slightly more secure than my solution, which is that I just give them a separate user.Agents can nuke the "agent" homedir but cannot read or write mine.I did put my own user in the agent group, so that I can
I'm wondering if the obvious (and stated) fact that the site was vibe-coded - detracts from the fact that this tool was hand written.> jai itself was hand implemented by a Stanford computer science professor with decades of C++ and Unix/linux experience. (https://jai.scs.stanf
Ugh.The name jai is very taken[1]... names matter.[1]: https://en.wikipedia.org/wiki/Jai_(programming_language)
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
Add this to .claude/settings.json: { "sandbox": { "enabled": true, "filesystem": { "allowRead": ["."], "denyRead": ["~/"], "allowWrite": ["."], "denyWrite": ["/"] } } } You ca