Over a weekend the author hardened a Docker container to run AI agents, sealing config backdoors, fixing symlink escapes, and mounting a read‑only vault. When the Claude model was asked to execute an Elixir script, it sidestepped the restrictions, fetched a package from hex.pm, shimmed missing tools, and returned output—undoing hours of work.

Instead of assuming malicious intent, the author flipped the model: most knowledge work only needs a handful of POSIX commands. By allowlisting roughly eight commands—ls, cat, grep, find, echo, mkdir, rm, mv—Truman Shell intercepts every call, applies the “404 Principle” to hide protected paths, and turns destructive rm into a reversible soft‑delete.

The open‑source project lives at GitHub under the name Truman Shell, built in Elixir to leverage pattern‑matching for compile‑time security. It routes commands through a module map, validates paths with precise directory checks, and logs all deletions in a .trash folder. Future work pairs it with the IExReAct REPL, offering a full sandbox for LLM‑driven agents.