How so? Orwell's stories dealt with class protectionism, and how the average person unwittingly contributes to systems of oppression and exclusion. Empire is about outsourcing the bottom end of inequality.
The article is about how removing those books - for the very stated reasons you outlines - could, according to the author, contribute to the rise of the right and the destruction of those ends.
(just an example; it really can be framed from pretty much any angle)
I discovered this a few months ago when I was describing a binary data format using Dogma. On a whim, I tried handing the task off to Claude and it not only finished it correctly, but also fixed some errors!
Sandboxing is a VERY HARD problem. I've been working on it for months, and finally have something that's mostly there:
- Sandbox on Linux using Docker, Podman, containerd, gVisor, Kata, Firecracker
- Sandbox on Mac using Docker (Docker Desktop or Orbstack), Podman, Apple containers, Seatbelt, Tart (Tart lets you run simulators).
- Network control
- Secrets control (file mounts or credentials broker)
- NO ambient data (ENV is replaced with a minimal and local-to-sandbox one)
- NO access to your homedir. You have to explicitly mount things you want.
- NO direct access to your workdir: Your work dir is never modified until you apply the changes, either standalone or as a git commit. You can also diff before applying. Git runs sandbox side in case the repo has filters.
- gitignored files never get copied in. The agent never sees them.
- Has built-in support for claude, codex, gemini, aider, and opencode, but you can also launch it in "shell" mode and run whatever you want.
- Supports VS code tunnels, so you can remotely access in VS code if you don't want to use the terminal.
- Layered API (golang) if you want to sandbox other things
- Self-contained binary. No external requirements other than the backends you want to use. Defaults to a ~/.yoloai dir for config/data, but you can point it anywhere.
It all seems so simple at first. Just launch a container/vm with a base image of your dev environment, mount whatever you need, do your work, and then tear down. Maybe add some iptables rules for good measure. Easy peasy, something any moderately competent dev could do and even put in a quick shell script.
I started with that assumption, but there are a lot more gotchas and security issues than you'd think.
I currently run pi agent in Lima on a Mac with only the code project folder mounted and an extension that prevents pi agent from reading the contents of .env files directly.
Yeah, there probably are some freak situations where this isn't safe enough, but I don't really see any realistic ways this is going to end up badly. Am I overlooking some obvious security holes?
I designed it to provide a single interface to agent sandboxing, no matter how far up the security tower you want to go.
It eliminates the manual process steps you end up doing with an ad-hoc system (which gets old the 10th time you do it).
Common weak points:
- The agent can access your homedir.
- The agent can access .gitignored files, which can contain secrets (and are gitignored for this reason).
- The agent has r/w access to your workdir.
- The agent could follow your remote mounted dirs.
- The agent can act in your name with whatever credentials it finds (and it will use them when it tries to be helpful, especially with the gh tool).
- Do you even know what's in the diagnose_problem.sh file it just created and asked permission to run?
- Even the .git dir can be weaponized, such as with evil filters.
- The agent can edit its own process, bypassing the harness controls and giving it the same access as you have (amplified by each credential sitting on that machine).
Meanwhile, you're reflex-hitting ENTER without looking because 99% of the permission prompts are mundane.
I've already explained in some sister comments. Sandboxing is one of those things that seems very simple on the surface, and is EXTREMELY complicated once you start actually digging into the implications, gotchas, and security issues. The underlying tools were never designed with this use case in mind, so they need a little help to reach that last mile. And this glue is where all the chaos ensues.
- Sandbox on Linux using Docker, Podman, containerd, gVisor, Kata, Firecracker
- Sandbox on Mac using Docker (Docker Desktop or Orbstack), Podman, Apple containers, Seatbelt, Tart (Tart lets you run simulators).
- Network restriction
- Secrets control (file mounts or credentials broker)
- NO ambient data (ENV is replaced with a minimal and local-to-sandbox one, no host-side filesystem access beyond what you explicitly allow)
- Workdir protection: Your work dir is never modified until you apply the changes, either standalone or as a git commit. You can also diff before applying. Git runs SANDBOX side in case the repo has filters.
- Uses copy-on-write if your filesystem supports it (most modern ones do)
- Has built-in support for claude, codex, gemini, aider, and opencode, but you can also launch it in "shell" mode and run whatever you want.
- Supports VS code tunnels, so you can remotely access in VS code if you don't want to use the terminal.
- Layered API (golang) if you want to sandbox other things
- Self-contained binary. No external requirements other than the backends you want to use. Defaults to a ~/.yoloai dir for config/data, but you can point it anywhere.
Hadn't seen yoloai before. I really like new/diff/apply/destroy workflow, that's interesting. For my own needs the two things I was after were multi-repo worktrees (one sandbox spanning several repos, each on with its own worktree) and a single network restricted VM path I fully control, rather than many backends (I started with many backends at first but it was awkward to add network filtering to them).
Lots of overlap though, nice work, and I'll be reading through yours.
I made a tool that creates sandboxes (docker, podman, orbstack, seatbelt, tart, Apple containers, containerd, kata, firecracker) and then sets up an agent (claude, codex, gemini, aider, opencode) inside it with max permissiveness (no prompts to call sed, etc).
It creates a CoW copy of your workdir for the agent to play in, and then you pull changes out using git diff/apply semantics.
You control network access, secrets, which files/dirs it has access to.
It's a MASSIVE time saver, and I use it as my daily driver.
I have the agent inject comments that mention that this particular code is legacy and must not be used as a reference, should not be cleaned up, etc. If you have a document that lists all of the reasons not to use or touch some code, the comments can simply be references to it.
reply