Sandbox Plane
The immutable core — FLAME sandboxes, KRAIT rules, and the security analyzer that cannot be modified at runtime.
The Immutable Core
The sandbox plane is the innermost layer of KRAIT's architecture. Its components are compiled once, cryptographically hashed, and locked against modification for the lifetime of the running system. This is the foundation that makes self-evolving code safe: the rules that govern evolution are themselves immune to evolution.
FLAME and Ephemeral Docker Sandboxes
KRAIT uses FLAME (Fleeting Lambda Application for Modular Execution) to spawn short-lived Docker containers on demand. Every test execution, code evaluation, and untrusted computation runs inside one of these ephemeral sandboxes. The containers start from a minimal base image, mount no host volumes, and are destroyed immediately after use.
FLAME integration is handled through a custom backend that manages container pooling and lifecycle. Containers are pre-warmed during low-traffic periods to reduce cold-start latency, and resource limits (CPU, memory, network) are enforced at the Docker level. If a sandbox exceeds its allocation, it is killed without ceremony.
KRAIT Rules Engine
The rules engine defines the security invariants that all evolved code must satisfy. Each rule is identified by a code (KRAIT-001 through KRAIT-007 in the base set) and specifies forbidden AST patterns, required annotations, or structural constraints.
- KRAIT-001: No dynamic code execution (
Code.eval_string,:erlang.apply/3with variable MFA). - KRAIT-002: No file system access outside the designated workspace directory.
- KRAIT-003: No network calls except through the approved HTTP client wrapper.
- KRAIT-004: All public functions must have typespecs.
- KRAIT-005: No process spawning outside OTP supervision trees.
- KRAIT-006: No modification of application environment at runtime.
- KRAIT-007: No references to modules in the sandbox plane itself.
Security Analyzer
The security analyzer is a compile-time component that verifies the integrity of the rules engine and the Narsil NIF on startup. It computes SHA-256 checksums of all immutable-core modules and compares them against the expected values baked into the release. If any checksum fails, the system refuses to start. This ensures that even a compromised deployment pipeline cannot silently alter the rules that protect the agent.