Agent Harness Architecture Splits Sandbox Tradeoffs
Andrea Luzzardi, writing on Mendral's blog, describes two architectures for running an agent harness: one where the harness runs inside the sandbox and one where the harness runs outside the sandbox. Luzzardi reports that an inside-the-sandbox harness places the LLM loop, tool execution, and skills/memories in the same container, which simplifies execution and preserves local filesystem assumptions. Luzzardi also reports that an outside-the-sandbox harness keeps credentials and long-lived secrets on the backend, calls the sandbox over an API for tool execution, and enables suspending sandboxes when idle. The essay frames these choices as tradeoffs between simplicity, security, and multi-user operational needs.
What happened
Andrea Luzzardi, in a Mendral blog post dated April 10, 2026, presents two architectures for agent harnesses and compares their tradeoffs. Luzzardi describes harness inside the sandbox as an arrangement where the loop, model calls, tool execution, and skills/memories all live in the same container, and cites claude/Claude Code as examples of that pattern. Luzzardi describes harness outside the sandbox as the loop running on a backend that calls a sandbox over an API to execute tools, with credentials and long-lived secrets held outside the sandbox.
Technical details
Luzzardi reports that the inside model offers a simple execution model-one container, one process tree, one filesystem-and that skills and memories keep working because they assume a local filesystem. Luzzardi reports that the outside model isolates credentials from the sandbox, permits suspending sandboxes when not in use, and limits what an escaped process could reach by reducing in-sandbox privileges.
Editorial analysis
Industry context: Companies building multi-user agent platforms commonly confront the tension between developer ergonomics and attack surface. Observed patterns in similar architectures show that colocated harnesses reduce integration work for local skills and state, while split harnesses ease credential management and scaling across many sessions. Observed patterns in similar deployments also indicate that API-mediated sandboxes introduce added latency and operational complexity around state synchronization and retries.
For practitioners
Practical signals to watch include how teams persist and sync skills and memories when the harness is remote, what authentication primitives are used to broker sandbox calls, and how sandboxes are lifecycle-managed to balance cost and responsiveness. Reporting by Luzzardi frames these design choices as primarily tradeoffs among simplicity, security isolation, and multi-tenant operational concerns.
What to watch
Observers should track tooling that standardizes remote skill mounts, encryption-in-use patterns for sandboxed execution, and SDKs that abstract the harness-sandbox RPC surface, all of which will affect developer velocity and risk profiles.
Scoring Rationale
The piece clarifies a common architectural decision for production agent platforms that matters for multi-tenant deployments and security. It is notable for practitioners designing agent infrastructure but does not introduce a new model or breakthrough.
Practice interview problems based on real data
1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
