Hacker Newsnew | past | comments | ask | show | jobs | submit | kstenerud's commentslogin

How so? Orwell's stories dealt with class protectionism, and how the average person unwittingly contributes to systems of oppression and exclusion. Empire is about outsourcing the bottom end of inequality.

The article is about how removing those books - for the very stated reasons you outlines - could, according to the author, contribute to the rise of the right and the destruction of those ends.

(just an example; it really can be framed from pretty much any angle)


I discovered this a few months ago when I was describing a binary data format using Dogma. On a whim, I tried handing the task off to Claude and it not only finished it correctly, but also fixed some errors!

Sandboxing is a VERY HARD problem. I've been working on it for months, and finally have something that's mostly there:

- Sandbox on Linux using Docker, Podman, containerd, gVisor, Kata, Firecracker

- Sandbox on Mac using Docker (Docker Desktop or Orbstack), Podman, Apple containers, Seatbelt, Tart (Tart lets you run simulators).

- Network control

- Secrets control (file mounts or credentials broker)

- NO ambient data (ENV is replaced with a minimal and local-to-sandbox one)

- NO access to your homedir. You have to explicitly mount things you want.

- NO direct access to your workdir: Your work dir is never modified until you apply the changes, either standalone or as a git commit. You can also diff before applying. Git runs sandbox side in case the repo has filters.

- gitignored files never get copied in. The agent never sees them.

- Has built-in support for claude, codex, gemini, aider, and opencode, but you can also launch it in "shell" mode and run whatever you want.

- Supports VS code tunnels, so you can remotely access in VS code if you don't want to use the terminal.

- Full lifecycle support: Launch, attach, stop, restart, wait, one-shot, clone, destroy

- MCP passthrough

- Layered API (golang) if you want to sandbox other things

- Self-contained binary. No external requirements other than the backends you want to use. Defaults to a ~/.yoloai dir for config/data, but you can point it anywhere.

- FOSS

https://github.com/kstenerud/yoloai


Sandboxing in a container in Linux isn't hard, if you use lxd/incus which ships with Ubuntu/Debian.

It all seems so simple at first. Just launch a container/vm with a base image of your dev environment, mount whatever you need, do your work, and then tear down. Maybe add some iptables rules for good measure. Easy peasy, something any moderately competent dev could do and even put in a quick shell script.

I started with that assumption, but there are a lot more gotchas and security issues than you'd think.


but this seems quite overkill no?

I currently run pi agent in Lima on a Mac with only the code project folder mounted and an extension that prevents pi agent from reading the contents of .env files directly.

Yeah, there probably are some freak situations where this isn't safe enough, but I don't really see any realistic ways this is going to end up badly. Am I overlooking some obvious security holes?


I designed it to provide a single interface to agent sandboxing, no matter how far up the security tower you want to go.

It eliminates the manual process steps you end up doing with an ad-hoc system (which gets old the 10th time you do it).

Common weak points:

- The agent can access your homedir.

- The agent can access .gitignored files, which can contain secrets (and are gitignored for this reason).

- The agent has r/w access to your workdir.

- The agent could follow your remote mounted dirs.

- The agent can act in your name with whatever credentials it finds (and it will use them when it tries to be helpful, especially with the gh tool).

- Do you even know what's in the diagnose_problem.sh file it just created and asked permission to run?

- Even the .git dir can be weaponized, such as with evil filters.

- The agent can edit its own process, bypassing the harness controls and giving it the same access as you have (amplified by each credential sitting on that machine).

Meanwhile, you're reflex-hitting ENTER without looking because 99% of the permission prompts are mundane.

And that's before you even get to all of the idiosyncrasies in the backends that will eventually trip you up. The list is quite large and continually growing: https://github.com/kstenerud/yoloai/blob/main/docs/contribut...


i have a photon os vmware, agent has root and docker plus a few api keys with minimal credits.

if it messes up: - no sensitive data is there, so it doesn't really work for serious dev but it's secure for play time

- roll back and fix is done in 10s with ram snapshot

- dollar loss is $10 when it leaks the api key


This is exactly what VMs are for.

Heh, good luck with that.

Explain Mr vague.

I've already explained in some sister comments. Sandboxing is one of those things that seems very simple on the surface, and is EXTREMELY complicated once you start actually digging into the implications, gotchas, and security issues. The underlying tools were never designed with this use case in mind, so they need a little help to reach that last mile. And this glue is where all the chaos ensues.

Here's a small sample of the crazy shit you have to deal with: https://github.com/kstenerud/yoloai/blob/main/docs/contribut...

And that's if you're actually following the proper procedures (which are themselves byzantine and tricky to get right).


Not if you've got a good sandbox.

Do you have one?

Yup, I built one! https://github.com/kstenerud/yoloai

You can even run simulators in it if you choose the Tart backend.


And how is your vibe coded sandbox better than 1000 other sandboxes?

You'll never know. And that's fine.

I built yoloAI for this kind of nightmare scenario (among others).

- The sandboxed agent has no access to your homedir, or ANY dir on your machine except what you explicitly give it access to.

- Even with your workdir, it honors .gitignore and refuses to copy in any ignored paths to the sandbox copy.

- The sandboxed agent doesn't have access to your ENV (unless you explicitly pass things through one-by-one).

- Networking can be restricted any way you like.

- Credentials are proxied (currently Claude only), so the agent has access to NO secrets at all.

- You pick the security backend to match your needs (containers, VMs, etc).

- It's FOSS.

https://github.com/kstenerud/yoloai


yoloAI does something similar:

- Sandbox on Linux using Docker, Podman, containerd, gVisor, Kata, Firecracker

- Sandbox on Mac using Docker (Docker Desktop or Orbstack), Podman, Apple containers, Seatbelt, Tart (Tart lets you run simulators).

- Network restriction

- Secrets control (file mounts or credentials broker)

- NO ambient data (ENV is replaced with a minimal and local-to-sandbox one, no host-side filesystem access beyond what you explicitly allow)

- Workdir protection: Your work dir is never modified until you apply the changes, either standalone or as a git commit. You can also diff before applying. Git runs SANDBOX side in case the repo has filters.

- Uses copy-on-write if your filesystem supports it (most modern ones do)

- Has built-in support for claude, codex, gemini, aider, and opencode, but you can also launch it in "shell" mode and run whatever you want.

- Supports VS code tunnels, so you can remotely access in VS code if you don't want to use the terminal.

- Full lifecycle support: Launch, attach, stop, restart, wait, one-shot, clone, destroy

- MCP passthrough

- Layered API (golang) if you want to sandbox other things

- Self-contained binary. No external requirements other than the backends you want to use. Defaults to a ~/.yoloai dir for config/data, but you can point it anywhere.

- FOSS

https://github.com/kstenerud/yoloai


Hadn't seen yoloai before. I really like new/diff/apply/destroy workflow, that's interesting. For my own needs the two things I was after were multi-repo worktrees (one sandbox spanning several repos, each on with its own worktree) and a single network restricted VM path I fully control, rather than many backends (I started with many backends at first but it was awkward to add network filtering to them). Lots of overlap though, nice work, and I'll be reading through yours.

I made a tool that creates sandboxes (docker, podman, orbstack, seatbelt, tart, Apple containers, containerd, kata, firecracker) and then sets up an agent (claude, codex, gemini, aider, opencode) inside it with max permissiveness (no prompts to call sed, etc).

It creates a CoW copy of your workdir for the agent to play in, and then you pull changes out using git diff/apply semantics.

You control network access, secrets, which files/dirs it has access to.

It's a MASSIVE time saver, and I use it as my daily driver.

https://github.com/kstenerud/yoloai


I've been beating a dead horse over this for months now but nobody seems to listen until it's too late...

1) Sandbox any LLM that has access to tools (I don't mean the pathetic sandboxes the agent harnesses provide).

2) Assign them credentials and use auth/access control like you would for a human.


You might want to give https://github.com/kstenerud/yoloai a try, then.

Runs agents in tmux in sandboxes.


Hard coded harness support... Yuck.

Gondolin is sand boxes done right...


You don't have to use the opinionated harnesses. Nothing stopping you from launching your own.

I have the agent inject comments that mention that this particular code is legacy and must not be used as a reference, should not be cleaned up, etc. If you have a document that lists all of the reasons not to use or touch some code, the comments can simply be references to it.

    // LEGACY CODE, per docs/legacy_rules.md §14, §19

Thanks for the tip. I’ll try that out.

Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: