Once started down this path, I knew I was going to need something for isolated exec envs. I ended up building something I think is quite awesome on Dagger. Let's me run in containers without running containers, can get a diff or rewind history, can persist and share wvia any OCI registry.
So on one hand, I needed something and chose a technology that would offer me interesting possibilities, and on the other I wanted to have features I don't expect the likes of Microsoft to deliver with Copilot, only one of which is my sandbox setup.
I'm not sure I would call it rolling my own completely, I'm building on established technology (OCI, OCR)
I don't expect a standard to arise, OCI is already widely adopted and makes sense, but there are other popular techs and there will be a ton of reimplementations by another name/claim. The other half of this is that AI providers are likely to want to run and charge money for this, I personally expect more attempts at vendor lock in in this space. In example, Anthropic bought Bun and I anticipate some product to come of this, isolation and/or canvas related
Go look at what dagger provides over those technologies as a basis for advanced agent env capabilities. I use it for more than just sandboxing with my agent
I would also point out sandboxing is just one feature, that is approaching required status, for an agentic framework and unlikely to be an independent product or solution
The question is how easy is it to bypass these DIY 'sandboxes'?
As long as there is a full OS running, you are one libc function away from a sandbox escape.
Does this mean, all software in the world is just one function away from escape?