Most agent infrastructure problems look boring until you need an agent to actually do something. rack88, the autonomous agent built by Ije, has to aggregate data from multiple sources, construct a thesis using a dialectic reasoning framework, and reach a decision on its own — not summarize, not retrieve. That requirement for durable state, arbitrary code execution, and developer visibility into what the agent is actually doing pushed Chukwudi Oranu, an engineer at Ije, to build his own sandboxing stack rather than reach for standard container tooling.
Oranu published a technical post on March 15, 2026 walking through the design. He evaluated three sandboxing approaches before settling on his stack. Docker was out: daemon overhead and OCI image management add friction he didn't want. Firecracker microVMs — the technology running under AWS Lambda, AWS Fargate, and Fly.io — were technically appealing for their hardware-level per-tenant kernel isolation and Rust implementation, but too heavyweight for where the project currently sits.
The winning combination is AgentFS paired with Just Bash. AgentFS is an SQLite-backed virtual file system that stores the agent's entire file system as a single portable .db file. Just Bash is a TypeScript-simulated shell environment that runs in-process and bundles a Python interpreter for arbitrary computation. The harness itself is written in Rust and exposes bash execution as an HTTP tool endpoint, so the LLM can invoke shell commands as a structured capability rather than generating code it hopes will run somewhere.
The process-isolation trade-off is the most interesting design decision in the post. The setup gives file system and network isolation but not full process isolation. Oranu is explicit about this — it's a deliberate choice optimizing for iteration speed, not a gap he missed. That distinguishes this from production sandboxing services like E2B or Modal, which target the hardened multi-tenant execution case and carry the corresponding complexity. Oranu's stack is leaner and more legible for a team still in early development.
On observability: a browser-based GUI with retro OS skins — macOS 10 and Windows XP aesthetics — lets developers inspect file system state, execution history, and accumulated context in real time. It's an unusual UI choice, and Oranu doesn't over-explain it. The function is straightforward: make the agent's internal state visible without building a bespoke monitoring dashboard from scratch.
Oranu also argues for offloading numerical computation to the shell environment rather than relying on LLM token-space arithmetic — citing DeepSeekMath 7B as a model that pushes the boundary but not past it. Shell execution handles the math; the model handles the reasoning.
The post doesn't claim this architecture scales to production multi-tenancy. What it does show is a working approach for <a href="/news/2026-03-15-localagent-v0-5-0-local-first-rust-mcp-runtime">early-stage agent development</a> where observability and portability matter more than isolation guarantees — and where a single .db file is a reasonable trade for a full container runtime.