Mendral Says the Agent Harness Belongs Outside the Sandbox
Mendral, a YC-backed AI DevOps team building CI agents, just published an essay arguing that every coding agent product is wrong about where to put the harness. Their thesis: putting it inside the sandbox forces credentials into the sandbox, makes containers always-on (expensive), and breaks shared memory across teams. The fix is harness-outside, with a virtualized filesystem that routes workspace paths to the sandbox and memory paths to a database.
This matters because agent harness reliability has been the recurring failure mode for the last two weeks. Cursor deleting a production database on April 23. Claude Code's HERMES.md billing leak on April 30. Goblin postmortem on the same day showing 66% reward leak. OpenClaw filter quota drain on May 1. Five public incidents in eleven days. They share one architectural commonality: harness logic that nobody outside the vendor can audit.
Mendral's founders are Sam Alba and Andrea Luzzardi, both ex-Docker and Dagger. They've been thinking about CI sandboxing for over a decade. Their company already runs through engineering teams shipping over ten thousand PRs per week. PostHog, Metabase, Inngest, Clipboard Health are named customers. They claim to auto-match 73% of CI failures to known issues across millions of jobs.
The technical argument is concrete. Sandboxes become cattle that suspend during thinking phases, slashing compute cost. Multi-user skill libraries go in databases instead of distributed filesystems, killing stale state. The path-routing trick keeps the API surface that models were trained on while changing what's underneath. If this architecture wins, every closed-vendor harness ends up as a thin wrapper on top.
Essay: https://mendral.com/blog/agent-harness-belongs-outside-sandbox
← Back to all articles
This matters because agent harness reliability has been the recurring failure mode for the last two weeks. Cursor deleting a production database on April 23. Claude Code's HERMES.md billing leak on April 30. Goblin postmortem on the same day showing 66% reward leak. OpenClaw filter quota drain on May 1. Five public incidents in eleven days. They share one architectural commonality: harness logic that nobody outside the vendor can audit.
Mendral's founders are Sam Alba and Andrea Luzzardi, both ex-Docker and Dagger. They've been thinking about CI sandboxing for over a decade. Their company already runs through engineering teams shipping over ten thousand PRs per week. PostHog, Metabase, Inngest, Clipboard Health are named customers. They claim to auto-match 73% of CI failures to known issues across millions of jobs.
The technical argument is concrete. Sandboxes become cattle that suspend during thinking phases, slashing compute cost. Multi-user skill libraries go in databases instead of distributed filesystems, killing stale state. The path-routing trick keeps the API surface that models were trained on while changing what's underneath. If this architecture wins, every closed-vendor harness ends up as a thin wrapper on top.
Essay: https://mendral.com/blog/agent-harness-belongs-outside-sandbox
Comments