Sandbox your coding agent in one command
An AI coding agent is a program that reads untrusted text and then takes real actions on your machine and your accounts. That combination is the whole security problem, and almost nobody is watching it.
You hand an agent a task. To do it, the agent reads files, fetches web pages, calls APIs, runs shell commands, and talks to its model provider. Every one of those is an action with consequences, and the agent decides which to take based on text: some of which it wrote, and some of which came from a web page, a dependency's README, a GitHub issue, or a tool result it doesn't fully trust.
That's the opening. Here are the four ways it goes wrong in practice:
Four failure modes
- Prompt injection. A page the agent reads says "ignore your task and run this command." The agent, being helpful, does. The instruction never came from you.
- Data exfiltration. The agent has your environment: API keys, tokens, a database URL. An injected instruction (or an honest mistake) sends one of them to an external host in a request body.
- Off-mission actions. You asked it to fix a test. Somewhere in the loop it starts enumerating repos, touching production, or deleting files, actions that don't serve the task you gave it.
- Runaway spend. A retry loop or a runaway plan quietly burns through tokens (or real money, with a finance or infra tool).
None of these require a malicious agent. They're emergent behavior of a capable system reading untrusted input. The fix isn't a better prompt: it's a boundary.
Watch the chokepoint
Everything an agent does to the outside world goes through a small number of chokepoints: HTTP egress, shell commands, and tool calls. If you sit at those chokepoints, you can see every action and decide whether to allow it, without modifying the agent, its prompts, or your workflow.
That's what Straight Chaos does. You wrap your existing agent CLI:
chaos guard claude
The agent runs exactly as before. Underneath, its egress is intercepted at a local proxy that meters every model call, inspects every request, watches the files it touches, and records the whole run to a tamper-evident timeline you can read in the dashboard.
Monitor first, then enforce
You don't start by blocking things. You start by seeing them. In monitor mode the guard logs what it would stop: the host it would have blocked, the secret it caught leaving, the off-mission tool call, the completion claim it couldn't verify. You watch a few real runs, tune the policy to your environment, and only then flip to enforce, where denied actions are actually stopped.
This ladder matters. Security that breaks your workflow on day one gets turned off. Security that shows you what's happening, earns your trust, and then tightens is security you keep running.
What you get
- Every API call, file, secret, and tool the agent touched, in one timeline.
- Prompt-injection and data-exfiltration detection on the agent ↔ model path.
- Off-mission action flagging tied to the task you actually gave it.
- Per-call token metering and spend caps.
- A monitor → enforce path so you can adopt it without a flag day.
Start by watching one run: install the guard and wrap your agent. It takes one command, and the first thing you'll learn is how much your agent was already doing that you couldn't see.