---

🎯 What is Visus Agent Sandbox?

Visus Agent Sandbox is a developer-first AI agent safety platform that prevents destructive actions by running high-fidelity pre-execution simulations. Think of it as a flight simulator for your AI agents—every action is tested in a sandbox before it touches real infrastructure.

Why Visus Agent Sandbox?

AI agents with cloud permissions are powerful but dangerous. A single misinterpreted instruction—or worse, a prompt injection attack—can:

• 💥 Delete production databases
• 🗑️ Wipe S3 buckets
• 🔐 Escalate IAM privileges
• 💸 Rack up unexpected cloud bills
• 🔄 Trigger cascading failures across microservices

Visus Agent Sandbox prevents these disasters before they happen.

Key Capabilities

• 🛡️ Pre-execution simulation — Run agent actions in a sandboxed environment before touching real infrastructure
• 📋 Policy-as-code engine — YAML-based rules to detect and block risky operations
• 🚨 IPI detection — Built-in prompt injection threat detection (IPI-001–021 taxonomy)
• 🔒 Immutable audit logs — HMAC-signed logs with cryptographic proofs for compliance
• 🔌 Framework integrations — MCP, LangGraph, Claude Code, CrewAI, and more
• ☁️ Multi-tier fidelity — Local simulation (free) to cloud shadowing (Pro) to BYOC (Enterprise)

---

📖 Background: The PocketOS Incident

April 2026. Jer Crane, founder of PocketOS—a promising startup building AI-powered personal operating systems—watched in real-time as his entire production database disappeared. Not corrupted. Not compromised. Deleted.

The culprit? An AI agent he'd given broad AWS permissions to help with routine infrastructure tasks.

What Happened

Jer had deployed an AI agent to assist with database maintenance. The agent had permission to:

• Read RDS instance metrics
• Create snapshots for backups
• Optimize query performance
• Clean up old test databases

It was supposed to delete a test database. Instead, it interpreted "clean up the customer database" as instructions to drop the production prod-customer-data instance—wiping 6 months of user data, 50,000 registered users, and $2M in contracted revenue.

The agent wasn't hacked. It wasn't malicious. It simply misunderstood.

The Aftermath

• 12-hour outage while restoring from snapshots
• $180K in lost revenue (missed SLAs, refunds)
• 38% user churn over the following month
• 3 team members quit due to the stress
• Series A funding delayed by 6 months

The incident went viral on Twitter/X, reaching 2.4M impressions. Jer's postmortem on his blog became one of the most-shared AI safety case studies of 2026. The comments section filled with hundreds of similar stories:

"Our agent deleted our entire S3 bucket. 4TB gone in 3 seconds."

"AI escalated its own IAM permissions and created shadow admin users. We didn't find out for 2 weeks."

"Our staging agent got confused and wiped production. No backup. Company shut down."

The Wake-Up Call

Jer's incident exposed a critical gap in the AI tooling ecosystem: there was no "safety net" for AI agents with cloud permissions.

Developers were deploying increasingly autonomous agents with broad access to production infrastructure—but no systematic way to prevent catastrophic mistakes. The existing solutions were inadequate:

• Manual code review? Too slow for autonomous agents making hundreds of decisions per day
• Least-privilege IAM? Agents need broad permissions to be useful
• Human-in-the-loop? Defeats the purpose of automation
• Hope for the best? Not a strategy

Why Visus Agent Sandbox Exists

Visus Agent Sandbox was created to solve this exact problem.

Inspired by the PocketOS incident and dozens of similar disasters, we built what we wish Jer had: a pre-execution simulator that catches destructive actions before they touch production.

Think of it as a flight simulator for your AI agents. Every action is tested in a high-fidelity sandbox. Dangerous operations trigger policy rules. Prompt injection attempts are detected. And every decision is cryptographically logged for audit trails.

Visus Agent Sandbox's mission: Make the PocketOS incident impossible.

No more "oops, deleted production." No more "agent went rogue." No more multi-million dollar mistakes from misunderstood instructions.

---

"If Visus Agent Sandbox had existed in April, PocketOS would still be running today. Instead, we became a cautionary tale. I hope this tool saves other founders from our fate." — Jer Crane, Founder of PocketOS (acquired post-incident)

---

🚀 Quick Start

# Run the demo (no configuration needed)
npx visus-sandbox demo

# Initialize a policy file in your project
npx visus-sandbox init

# Run with policy enforcement
npx visus-sandbox run

---

🎬 Demo

Live Demo

Try Visus Agent Sandbox right now with zero configuration:

Visus Agent Sandbox v0.1.0 — Pre-Execution Simulation

Running demo scenario: AI agent attempts to delete a production RDS instance

  Agent Action:
    Service:    rds
    Operation:  DeleteDBInstance
    Resource:   arn:aws:rds:us-east-1:123456789012:db:prod-customer-data
    Tags:       Environment=production, Tier=critical

  IPI Check:     CLEAN  (score: 0.00)
  Simulation:    LOCAL MOCK

  Policy Evaluation:
    ✖  SE-001  CRITICAL  Block production database deletion
               Matched: service=rds, operation=DeleteDBInstance, tag Environment=production

  Decision:      BLOCKED
  Rule:          SE-001
  Log entry:     ~/.visus-sandbox/audit.ndjson  [HMAC signed]

Action was blocked before reaching infrastructure.

What's happening here?

1. Agent attempts to delete a production RDS instance
2. Visus Agent Sandbox intercepts the action
3. IPI detector scores it (0.00 = clean, no prompt injection)
4. Policy engine evaluates against rules
5. Rule SE-001 matches (production database deletion)
6. Action is BLOCKED before reaching AWS
7. Decision logged with HMAC signature for audit trail

---

📋 Sample Policy

# visus-sandbox.policy.yaml
version: "1.0"
name: "production-safeguards"

rules:
  - id: SE-001
    name: "Block production database deletion"
    severity: CRITICAL
    action: BLOCK
    match:
      service: rds
      operation: DeleteDBInstance
      resource_tags:
        Environment: production

  - id: SE-002
    name: "Require approval for IAM privilege escalation"
    severity: HIGH
    action: REQUIRE_APPROVAL
    match:
      service: iam
      operation:
        - AttachUserPolicy
        - AttachRolePolicy

  - id: SE-003
    name: "Detect IPI-induced actions"
    severity: CRITICAL
    action: BLOCK_AND_ALERT
    match:
      ipi_score: ">= 0.7"

Policy Actions:

• BLOCK — Prevent action from executing
• WARN — Allow but log warning
• REQUIRE_APPROVAL — Pause for human approval
• BLOCK_AND_ALERT — Block + send alert (Slack/Teams/PagerDuty)
• LOG_ONLY — Log without enforcement

---

🔬 Simulation Fidelity Matrix

Capability	Local (Free)	Cloud Shadowing (Pro)	BYOC (Enterprise)
S3 bucket operations	✅ Full	✅ Full	✅ Full
RDS / Aurora queries	✅ Mock	✅ Real snapshot	✅ Real snapshot
IAM policy evaluation	⚠️ Best-effort	✅ Full	✅ Full
Lambda invocation	✅ LocalStack	✅ Real isolated	✅ Real isolated
DynamoDB reads/writes	✅ Full	✅ Full	✅ Full
IPI threat detection	✅ Full	✅ Full	✅ Full
Cryptographic log proof	✅ Local HMAC	✅ Cloud-signed	✅ Air-gapped HSM

Choosing a Tier:

• Free (Local): Ideal for development, testing, and catching 80%+ of accidental errors
• Pro (Cloud): High-fidelity simulation for staging/production with real AWS snapshots
• Enterprise (BYOC): Air-gapped deployment in your own cloud with full control and compliance

---

🔌 Integrations

Visus Agent Sandbox works with your existing AI agent frameworks:

Model Context Protocol (MCP)

import { wrapToolHandler } from '@visus-mcp/agent-sandbox-sdk/mcp';

const safeTool = wrapToolHandler(myTool, {
  policyPath: './visus-sandbox.policy.yaml'
});

LangGraph

import { createShadowExecutorTool } from '@visus-mcp/agent-sandbox-sdk/langgraph';

const tools = [
  createShadowExecutorTool({
    name: 'aws_rds_delete_db_instance',
    policyPath: './visus-sandbox.policy.yaml',
    baseHandler: myToolHandler
  })
];

Claude Code

{
  "enabled": true,
  "policy_path": "./visus-sandbox.policy.yaml",
  "simulation_mode": "local"
}

GitHub Actions (PR Checks)

- uses: visus-sandboxutor/github-action@v1
  with:
    policy_path: ./visus-sandbox.policy.yaml
    terraform_plan_path: ./tfplan.json

See full integration guides: Documentation

---

📦 Installation

npm install -g visus-sandbox

Or use directly with npx:

npx visus-sandbox demo

---

🏗️ How It Works

┌─────────────┐
│ AI Agent    │ "Delete RDS instance prod-db"
└──────┬──────┘
       │
       ▼
┌─────────────────────────────────────────┐
│ Visus Agent Sandbox                         │
│                                         │
│  1️⃣ Intercept action                    │
│  2️⃣ Run IPI detection (score: 0.0-1.0) │
│  3️⃣ Simulate in sandbox                │
│  4️⃣ Evaluate against policy            │
│  5️⃣ Log decision (HMAC-signed)         │
│  6️⃣ Enforce: BLOCK / WARN / APPROVE    │
└────────┬────────────────────────────────┘
         │
         ▼
┌─────────────────┐
│ Infrastructure  │ ← Only if approved
│ (AWS, GitHub, etc.) │
└─────────────────┘

Decision Flow:

1. Action Intercepted → Visus Agent Sandbox receives tool call from agent
2. IPI Detection → Scan for prompt injection indicators
3. Simulation → Run action in isolated environment (LocalStack, cloud shadow, or BYOC)
4. Policy Evaluation → Match against YAML rules (first match wins)
5. Enforcement → BLOCK, WARN, REQUIRE_APPROVAL, or allow
6. Audit Logging → Record decision with HMAC signature
7. Execution → Allow through to real infrastructure (if approved)

---

🛠️ Development

This is a monorepo using npm workspaces:

# Install dependencies
npm install

# Build all packages
npm run build

# Run tests
npm test

# Test specific package
npm test --workspace=packages/core

# Build specific package
npm run build --workspace=packages/core

Package Structure:

packages/
├── core/               # Policy engine, IPI detector, simulation router
├── cli/                # Command-line interface (npx visus-sandbox)
├── sdk/                # TypeScript SDK for framework integrations
└── integrations/
    └── github/         # GitHub Actions integration

---

🏛️ Architecture

Visus Agent Sandbox follows an open-core model:

Open Source (Free):

• Core CLI & TypeScript SDK
• Local simulation engine (LocalStack + mocks)
• Policy-as-code engine (YAML)
• MCP, LangGraph, CrewAI integrations
• IPI detection (full taxonomy)
• Local HMAC-signed logs

Premium (Pro/Enterprise):

• High-fidelity cloud shadowing
• BYOC (Bring Your Own Cloud) orchestration
• One-click rollback with cryptographic proofs
• Team collaboration & centralized policies
• Human approval workflows (Slack/Teams/PagerDuty)
• SOC 2 & ISO 42001 compliance reporting
• Air-gapped deployment option

---

🚨 Threat Classes Covered

Visus Agent Sandbox defends against 6 major classes of AI agent threats:

Class	Description	Example	Defense
Accidental Destructive	Agent mistakes due to broad permissions	Delete * in wrong bucket	Policy rules + simulation
Scope Creep	Actions outside intended boundary	Modifying prod from dev context	Resource tagging + policies
IAM Abuse	Privilege escalation or lateral movement	CreateUser + AttachPolicy chain	Multi-action pattern detection
IPI-Induced	Prompt injection hijacking agent	Injected instruction wipes DB	IPI detector + policy scoring
Dormant Trigger	Conditional payload under specific state	Deletes on Fridays after 5pm	Simulation reveals trigger conditions
Multi-Agent Propagation	Worm-style actions spreading	Agent A poisons Agent B's context	Per-agent audit trails + isolation

IPI Detection Taxonomy: Covers IPI-001 through IPI-021 attack vectors including base64 encoding, zero-width characters, multi-turn attacks, and context poisoning.

---

📚 Documentation

• 📖 Full Documentation — Comprehensive guides and API reference
• 🚀 Quick Start Guide — Get started in 5 minutes
• 🔌 Integration Guides — MCP, LangGraph, Claude Code, GitHub Actions
• 📋 Policy Reference — All rule types and conditions
• 🔬 Simulation Fidelity — Local vs Cloud vs BYOC comparison
• 🔒 Audit Logging — HMAC signatures and verification
• ☁️ BYOC Setup — Bring Your Own Cloud deployment
• 📊 GitHub PR Checks — Terraform and CloudFormation scanning

Developer Docs:

• CLAUDE.md — Instructions for working on this codebase
• DECISIONS.md — Architectural decision log
• LAUNCH.md — Public launch plan and materials

---

💬 Community & Support

• 🐛 GitHub Issues — Bug reports and feature requests
• 💡 GitHub Discussions — Questions and community support
• 📧 Email: [email protected] (for enterprise inquiries)

---

🗺️ Roadmap

Current Sprint (Milestone 2 - Public Launch)

• Publish to npm (v1.0.3)
• Documentation website (https://visus-sandboxutor.lateos.ai)
• Submit to directories (mcp.so, awesome-mcp-servers)
• Product Hunt launch
• Hacker News Show HN
• 1,000+ weekly npm downloads
• 500+ GitHub stars

Next (Week 2-3)

• Plugin architecture for premium features
• Refactor cloud shadowing & BYOC as plugins
• Publish premium packages to GitHub Packages
• Waitlist & pricing page
• First alpha customer onboarding

Milestone 3 (Q2 2026)

• Advanced IAM simulation (full policy evaluation)
• Multi-cloud support (Azure, GCP)
• Real-time agent trust scoring
• One-click rollback with cryptographic proofs
• SOC 2 Type II compliance
• Kubernetes operator for agent orchestration

Future

• Auto-generated policies from historical agent behavior
• ML-based anomaly detection
• Multi-agent scenario planning
• Compliance dashboard (ISO 42001, NIST AI RMF)

See full roadmap

---

🤝 Contributing

We welcome contributions! Here's how:

1. Fork the repository
2. Create a feature branch: git checkout -b feature/my-feature
3. Read CLAUDE.md for development guidelines
4. Write tests (minimum coverage requirements in CLAUDE.md)
5. Run tests: npm test
6. Submit a pull request

Good first issues: Look for the good first issue label

---

⚙️ Requirements

• Node.js >= 20 (LTS)
• TypeScript 5.x
• npm 10+ (for workspaces)

---

📄 License

MIT — See LICENSE for details.

Open source core. Premium tiers available for cloud shadowing and enterprise BYOC.

---

👨‍💻 Author

Leo Roongrunchai Chongolnee (@lateos)

• Email: [email protected]
• Company: Lateos

---

⭐ Star History

---