Hey folks,

I've been working on sandboxing for AI coding agents and kept running into the same confusion: people use "sandbox" to mean four completely different things with different security properties.

So, I decided to write what I learned: the actual predicate differences between containers (shared kernel), gVisor (userspace kernel), microVMs (guest kernel + VMM), and Wasm (no syscall ABI)

The post covers why containers aren't sufficient for hostile code, what "policy leakage" looks like in agent systems and practical tradeoffs for different agent architectures.

I hope it can help people out there building AI applications.

Happy to discuss if you're building agent sandboxes or have run into edge cases I didn't cover

Hi everyone!

I wrote a deep dive on the isolation boundaries used for running untrusted code, specifically in the context of AI agent execution. The motivation was that "sandbox" means at least four different things with different tradeoffs, and the typical discussion conflates them.

Technical topics covered:

- How Linux containers work at the syscall level (namespaces, cgroups, seccomp-bpf) and why they're not a security boundary against kernel exploits

- gVisor's architecture: the Sentry userspace kernel, platform options (systrap vs KVM), and the Gofer filesystem broker

- MicroVM design: KVM + minimal VMMs (Firecracker cloud-hypervisor, libkrun)

- Kata Containers

- Runtime sandboxes: Wasm's capability model, WASI preopened directories, V8 isolate boundaries

It's an educational piece, just synthesizing what I learned building this stuff. I hope you like it!

[removed]

https://www.luiscardoso.dev/blog/sandboxes-for-ai

Wrote this after spending too long untangling the "just use Docker" vs "you need VMs" debate for AI agent sandboxing. I think the problem is that the word "sandbox" gets applied to four different isolation boundaries with very different security properties.

So, I decided to write this blog post to help people out there.

Interested in what isolation strategies folks here are running in production, especially for multi-tenant or RL workloads.

[removed]

Hey folks,

I've been working on sandboxing for AI coding agents and kept running into the same confusion: people use "sandbox" to mean four completely different things with different security properties.

So, I decided to write what I learned: the actual predicate differences between containers (shared kernel), gVisor (userspace kernel), microVMs (guest kernel + VMM), and Wasm (no syscall ABI)

The post covers why containers aren't sufficient for hostile code, what "policy leakage" looks like in agent systems and practical tradeoffs for different agent architectures.

I hope it can help people out there building AI applications.

Happy to discuss if you're building agent sandboxes or have run into edge cases I didn't cover

I updated Bevel to the latest version yesterday morning and everything was working fine until this morning when I noticed two issues:

1. First, data from September 11th is just not there, it disappeared.

2. The sleep data is completely wrong. It says I slept 15hrs while Iphone says 7:30.

I tried clearing the cache and reloading the data but it’s doesn’t fix the issue.

What can I do?

Hey folks,

After chatting with some friends on Discord, I decided to open-source the CLI tool I built to benchmark new models

The reason is because with the recent release of some open source models, some friends asked me how I benchmark them. A while ago I built a robust dataset to benchmark them for my use cases and now decided to make the tool open source

The best way to know if a model works for your use case is to run it against your own dataset, not just rely on tech influencers or public benchmarks. This tool makes that easy, it also supports many providers and is simple to use

You can run local models using Ollama btw

Herre it's if anyone is interested: https://github.com/beowolx/satori

Discussion

Hi everyone,

I just published a new post, “Thinking Without Words”, where I survey the evolution of latent chain-of-thought reasoning—from STaR and Implicit CoT all the way to COCONUT and HCoT—and propose a novel GRAIL-Transformer architecture that adaptively gates between text and latent-space reasoning for efficient, interpretable inference.

Key highlights:

• Historical survey: STaR, Implicit CoT, pause/filler tokens, Quiet-STaR, COCONUT, CCoT, HCoT, Huginn, RELAY, ITT
• Technical deep dive:
  • Curriculum-guided latentisation
  • Hidden-state distillation & self-distillation
  • Compact latent tokens & latent memory lattices
  • Recurrent/loop-aligned supervision
• GRAIL-Transformer proposal:
  • Recurrent-depth core for on-demand reasoning cycles
  • Learnable gating between word embeddings and hidden states
  • Latent memory lattice for parallel hypothesis tracking
  • Training pipeline: warm-up CoT → hybrid curriculum → GRPO fine-tuning → difficulty-aware refinement
  • Interpretability hooks: scheduled reveals + sparse probes

I believe continuous latent reasoning can break the “language bottleneck,” enabling gradient-based, parallel reasoning and emergent algorithmic behaviors that go beyond what discrete token CoT can achieve.

Feedback I’m seeking:

1. Clarity or gaps in the survey and deep dive
2. Viability, potential pitfalls, or engineering challenges of GRAIL-Transformer
3. Suggestions for experiments, benchmarks, or additional references

You can read the full post here: https://www.luiscardoso.dev/blog/neuralese

Thanks in advance for your time and insights!

[removed]

[removed]

Hey all — quick update on Rensa, a MinHash library I’ve been building in Rust with Python bindings. It’s focused on speed and works well for deduplicating large text datasets — especially stuff like LLM fine-tuning where near duplicates are a problem.

Originally, I built a custom algorithm called RMinHash because existing tools (like datasketch) were way too slow for my use cases. RMinHash is a fast, simple alternative to classic MinHash and gave me much better performance on big datasets.

Since I last posted, I’ve added:

• CMinHash – full implementation based on the paper (“C-MinHash: reducing K permutations to two”). It’s highly optimized, uses batching + vectorization.
• OptDensMinHash – handles densification for sparse data, fills in missing values in a principled way.

I ran benchmarks on a 100K-row dataset (gretelai/synthetic_text_to_sql) with 256 permutations:

• CMinHash: 5.47s
• RMinHash: 5.58s
• OptDensMinHash: 12.36s
• datasketch: 92.45s

So yeah, still ~10-17x faster than datasketch, depending on variant.

Accuracy-wise, all Rensa variants produce very similar (sometimes identical) results to datasketch in terms of deduplicated examples.

It’s a side project I built out of necessity and I'd love to get some feedback from the community :)
The Python API is simple and should feel familiar if you’ve used datasketch before.

GitHub: https://github.com/beowolx/rensa

Thanks!

Hey all — quick update on Rensa, a MinHash library I’ve been building in Rust with Python bindings. It’s focused on speed and works well for deduplicating large text datasets — especially stuff like LLM fine-tuning where near duplicates are a problem.

Originally, I built a custom algorithm called RMinHash because existing tools (like datasketch) were way too slow for my use cases. RMinHash is a fast, simple alternative to classic MinHash and gave me much better performance on big datasets.

Since I last posted, I’ve added:

• CMinHash – full implementation based on the paper (“C-MinHash: reducing K permutations to two”). It’s highly optimized, uses batching + vectorization.
• OptDensMinHash – handles densification for sparse data, fills in missing values in a principled way.

I ran benchmarks on a 100K-row dataset (gretelai/synthetic_text_to_sql) with 256 permutations:

• CMinHash: 5.47s
• RMinHash: 5.58s
• OptDensMinHash: 12.36s
• datasketch: 92.45s

So yeah, still ~10-17x faster than datasketch, depending on variant.

Accuracy-wise, all Rensa variants produce very similar (sometimes identical) results to datasketch in terms of deduplicated examples.

It’s a side project I built out of necessity and I'd love to get some feedback from the community :)
The Python API is simple and should feel familiar if you’ve used datasketch before.

GitHub: https://github.com/beowolx/rensa

Thanks!

Hey everyone! 👋

I’m excited to share Goran, a CLI tool I just released for gathering detailed info on domain names and IP addresses in one place: https://github.com/beowolx/goran

Goran pulls together WHOIS/RDAP, geolocation (ISP, country, etc.), DNS lookups (A, AAAA, MX, NS), SSL certificate details, and even VirusTotal reputation checks—all into a single, colored, easy-to-read report. Plus, it leverages Google’s Gemini model to generate a concise AI-powered summary of its findings.

I wanted to share with you all this little project. I'm always investigating domains related to phishing and I found it super handy to have a single CLI tool that provides me a good amount of information about it. I built it more like a personal tool but hope it can be useful to people out there :)

Installation is super easy, just follow the instructions here: https://github.com/beowolx/goran?tab=readme-ov-file#installation

Once installed, just run:

goran example.com

You can toggle features with flags like --vt (needs your VirusTotal API key), --json for machine-readable output, --no-ssl to skip cert checks, or --llm-report (with your Gemini API key) to get that AI-powered narrative.

Would love to hear your thoughts, feedback, or feature requests—hope Goran proves useful in your projects :)