Status: Pre-MVP / Active Development / ETA: 2 Weeks

ScarabRuntime

// Strict-Confinement Sandbox for Autonomous Code

Scarab isolates agent execution via native Linux kernel primitives, minimizing the attack surface of LLM-driven workloads. A zero-trust environment built for raw performance and absolute boundary control.

View on GitHub > Tech Spec
// 01

Hardened

Seccomp-BPF and AppArmor enforcement.

// 02

Isolated

OverlayFS and Cgroups resource control.

// 03

Verifiable

Hash-chained, append-only execution logs.

Technical Specification

// System Architecture

Scarab operates as a high-performance userspace daemon (agentd) written in Rust. It leverages standard Linux kernel primitives to enforce absolute process isolation, while ensuring the agent's identity, permissions, and audit trails are secured.

  1. Rust Foundation: Memory-safe, concurrency-first runtime responsible for critical tool dispatch and capability validation.
  2. IPC Layer: JSON-over-Unix domain sockets with 4-byte length prefix framing for zero-overhead communication.
  3. Host-Agnostic: Deploys natively on standard Linux distributions (Ubuntu, Debian) running kernel 5.x+, requiring no custom host OS.

// Enforcement Layers

Seccomp-BPF

Syscall filtering tailored to agent trust levels.

AppArmor

Strict filesystem and capability confinement profiles.

Cgroups v2

Hard limits on Memory, CPU, and PID exhaustion.

Nftables

Per-agent network isolation via net namespaces.

// Workload Compatibility

Scarab is agnostic to the agent's internal architecture. The agentd daemon mounts the runtime environment dynamically, supporting multiple execution payloads with zero-copy overhead.

Rust / Native ELF Python (Soon) Node.js / TS (Soon) OCI Images (Soon)

// Capability-Based Security

Tool access is mediated by capability tokens in domain.action:scope format.

# Example Manifest Fragment
capabilities:
  - fs.read:/home/agent/workspace/**
  - fs.write:/tmp/build/**
  - tool.invoke:web-search
  - net.connect:api.openai.com

// Storage & Reversibility

Workspaces use OverlayFS for instant isolation. Every "Act" phase is an implicit transaction; hash-chained NDJSON logs provide a tamper-proof audit trail of every tool call and observation.

SQLite Persistent Memory
SHA-256 Audit Integrity

// Sealed Credential Store

Agents never hold raw API keys or other secrets in memory. Credentials are held securely by the host process. When an agent requests an external connection, Scarab intercepts the request, validates the capability token, and injects the authorization header dynamically via an isolated proxy.