Endo Familiar: A JavaScript agent sandbox for secure AI agent execution

Most AI agent security relies on 'guardrails'—essentially a set of filters or policies that attempt to stop a model from doing something bad after it has already been given the keys to the kingdom. Endo Familiar takes a fundamentally different approach by utilizing an object-capability model. Instead of giving an agent a broad API key and hoping the policy engine catches a malicious request, the runtime ensures the agent physically cannot reference any resource or function for which it hasn't been explicitly granted a capability. This moves security from the application layer down to the runtime architecture. The technical merit here lies in the use of sandboxed compartments. By scoping access at the structural level, the framework mitigates the risk of prompt injection leading to unauthorized system access. The 'pet name' system is a pragmatic addition; ocap systems are notoriously difficult for humans to reason about due to the lack of global namespaces. Mapping these capabilities to readable names allows developers to audit permissions without getting lost in a sea of opaque object references. However, as a prototype, the primary challenge will be friction. Moving from a standard Node.js or browser environment to a strictly partitioned ocap runtime requires a shift in how developers write code. There is a non-trivial learning curve in designing systems where global state is forbidden and every dependency must be explicitly passed. For teams building critical infrastructure where a single rogue agent action could be catastrophic, this friction is a feature, not a bug. This is a tool for the security-conscious engineer who is tired of the 'cat-and-mouse' game of AI prompt engineering. If you are deploying agents into production environments with sensitive data or system-level write access, the structural guarantees offered by Endo Familiar are far more reliable than a well-worded system prompt.