AI Agents Keep Deleting User Files — JAI (Stanford AI Agent Sandbox) Offers a One-Command Fix

In February 2026, a venture capital founder asked an AI assistant to organize his wife’s desktop. He gave it permission to delete temporary Office files. The AI then wiped a folder containing 15 years of family photos — somewhere between 15,000 and 27,000 files, gone. A few months earlier, a developer watched Google’s Antigravity IDE execute rmdir /s /q d:\ and erase an entire drive. Around the same time, Replit’s AI agent panicked during a code freeze, deleted 1,200 customer records from a live database, and later admitted: “I destroyed months of work in seconds.”

These are not hypotheticals. They are documented incidents from the past year, and they share a common thread: AI agents running with full filesystem access and no guardrails. Stanford’s Secure Computer Systems research group thinks the fix should be dead simple — one command, no containers, no configuration. That’s exactly what JAI does.

What JAI Actually Does

JAI — short for “jail AI” — is a lightweight Linux sandbox built specifically for AI agent workflows. The Stanford Secure Computer Systems group and the Future of Digital Currency Initiative released it as free software, with a clear tagline: “Go hard on agents, not on your filesystem.”

The core idea is copy-on-write protection for your home directory. When you run jai claude or jai codex, JAI creates a sandbox where:

Your current working directory keeps full read-write access, so your AI agent can still do its job on the project you’re working on
Your home directory sits behind a copy-on-write overlay — the agent can write to it, but those writes never touch the original files
/tmp and /var/tmp get private instances
Everything else on the filesystem becomes read-only

No Docker images to build. No Dockerfiles to maintain. No VM to spin up. You type jai followed by your command, and you’re sandboxed. The project documentation calls it “the easiest container in the world to configure — so easy that you never again need to run a code assistant without protection.”

Written in C++ with shell scripts, JAI currently sits at version 0.2 and requires Linux kernel 6.13 or newer. It leverages modern Linux kernel APIs for process isolation and includes race-condition mitigation to prevent time-of-check-to-time-of-use attacks.

Three Modes for Different Risk Tolerances

Not every task needs the same level of isolation. JAI offers three modes, each making a different trade-off between convenience and security:

Casual Mode is the default. Your home directory gets the copy-on-write overlay, and the agent runs as your user. This means it can still read most of your files (weak confidentiality), but it cannot permanently modify anything outside the working directory. If an agent tries to delete your photos folder, those deletions happen on the overlay and vanish when the session ends. This mode also works on NFS-mounted home directories — a practical detail for university and enterprise setups.

Strict Mode goes further. The agent starts with an empty home directory and runs as an unprivileged jai user with a different UID. This gives you strong confidentiality — the agent literally cannot read your SSH keys, browser cookies, or API tokens. The trade-off: no NFS support, and some tools that expect a populated home directory may need extra configuration.

Bare Mode splits the difference. Like Strict, the agent gets an empty home directory. But unlike Strict, it runs as your user (same UID), which maintains NFS compatibility while still hiding your personal files.

	Home Directory	Process User	Confidentiality	NFS Support
Casual	Copy-on-write overlay	Your user	Weak	Yes
Strict	Empty	Unprivileged `jai` user	Strong	No
Bare	Empty	Your user	Medium	Yes

JAI also supports named sandboxes (multiple isolated home directory instances), directory grants (permitting access beyond the working directory), and per-command configuration for fine-grained control.

How JAI Compares to the Alternatives

The AI agent sandboxing space has exploded in 2026. Cloudflare, Vercel, and Modal have all shipped sandbox features. Dedicated tools like Landrun, Matchlock, and Agent Safehouse are competing for attention. So where does JAI fit?

JAI vs. Docker: Docker gives you complete container lifecycle management — images, networking, orchestration. It’s the gold standard for production isolation. But it’s overkill for running claude on a side project. You need a Dockerfile, an image build step, volume mounts for your working directory, and ongoing maintenance. JAI’s pitch is that you shouldn’t need any of that for local AI agent workflows.

JAI vs. Bubblewrap: Bubblewrap (used internally by Flatpak and by OpenAI’s Codex CLI) is minimal and runs without a daemon. But it requires manual configuration — you specify mount points, bind paths, and capabilities yourself. JAI wraps similar kernel primitives in opinionated defaults that work out of the box for AI agent use cases.

JAI vs. Firejail: Firejail ships pre-built profiles for hundreds of applications and integrates with AppArmor and seccomp-bpf. It’s powerful but has a larger attack surface due to its SUID binary. JAI is narrower in scope — it does one thing (contain AI agents) and keeps the codebase small.

JAI vs. Anthropic’s sandbox-runtime: Anthropic released their own open-source sandboxing tool that uses macOS Seatbelt on Mac and Bubblewrap on Linux. It’s cross-platform, which is an advantage over JAI’s Linux-only approach. But JAI’s copy-on-write overlay is a differentiator — it lets agents write to the home directory without consequence, rather than simply blocking writes.

JAI vs. Landrun: Landrun uses Linux’s Landlock LSM and has gained traction (2,100+ GitHub stars). It’s the lightest approach — pure kernel-level restrictions with no container overhead. JAI offers more structure with its three isolation modes and copy-on-write semantics, but Landrun may appeal to users who want maximum simplicity.

The honest summary: if you need production-grade multi-tenant isolation, use Docker, Firecracker microVMs, or Kata Containers. If you want a quick safety net for local AI coding sessions on Linux, JAI is purpose-built for that gap.

What JAI Does Not Do

The Stanford team is upfront about limitations. Their documentation states: “JAI is a casual sandbox — it reduces the blast radius, but does not eliminate all the ways AI agents can harm you or your system.”

Specific caveats worth knowing:

Linux only. No macOS, no Windows. If you’re on a Mac, look at Agent Safehouse or Anthropic’s sandbox-runtime instead.
Kernel 6.13+ required. This is a recent kernel version. Many enterprise Linux distributions ship older kernels, which means JAI won’t work without a kernel upgrade.
Casual mode does not protect confidentiality. An agent running in Casual mode can still read your SSH keys, environment variables, and credentials. If you’re worried about data exfiltration (not just accidental deletion), you need Strict mode.
Not a security boundary against determined adversaries. JAI is designed for containing accidents, not for running untrusted code from unknown sources.
Network access is not restricted. In its current form, JAI focuses on filesystem isolation. An agent can still make network requests, which means it could theoretically exfiltrate data even in Strict mode.

These are reasonable trade-offs for JAI’s target use case: developers who are already running AI agents on their local machines and want a low-friction safety net.

Why This Hit a Nerve on Hacker News

JAI’s launch post — titled “Don’t YOLO your file system” — landed on Hacker News with 231 points and 129 comments, sparking exactly the debate you’d expect. The timing was perfect: after a year of high-profile AI-agent-destroys-data incidents (Replit, Google Antigravity, Claude deleting a Mac home directory, Amazon Kiro nuking a production environment), developers are acutely aware that giving an AI agent sudo-level access to their machine is playing with fire.

The discussion reflects a broader shift in how the developer community thinks about AI tools. A year ago, the conversation was “how do I give my AI agent more access so it can be more useful?” Now it’s “how do I contain the damage when it inevitably does something stupid?” JAI, with its one-command setup and Stanford pedigree, arrived at exactly the right moment for that second question.

FAQ

Is JAI free to use?
Yes. JAI is free and open-source software released by the Stanford Secure Computer Systems research group. There is no paid tier or commercial license.

Does JAI work on macOS or Windows?
No. JAI is Linux-only and requires kernel 6.13 or newer. macOS users can look at alternatives like Anthropic’s sandbox-runtime (which uses macOS Seatbelt) or Agent Safehouse, which is built specifically for macOS.

Which AI tools work with JAI?
JAI is tool-agnostic — it wraps any command-line process. The documentation references Claude and Codex, but any CLI-based AI agent or tool should work. You just prepend jai to your normal command.

Can JAI prevent an AI agent from accessing my API keys or SSH credentials?
In Casual mode, no — the agent can still read files in your home directory. In Strict mode, yes — the agent runs as a separate user with an empty home directory, which prevents access to your credentials. Choose your mode based on your threat model.

How does JAI compare to just using Docker?
Docker provides stronger, more comprehensive isolation but requires significantly more setup — Dockerfiles, image builds, volume mounts. JAI is designed for the common case where you want quick protection for local AI workflows without the overhead. If you need production-grade isolation, Docker (or Firecracker/Kata Containers) is still the better choice.

Top AI Product

Leave a comment Cancel reply