A few months ago I built https://github.com/Gerharddc/litterbox (https://litterbox.work/) primarily to shield my home directory from supply-chain attacks, but I imagine it could be very useful for defending against rogue agents too. Essentially it is a dev-container-like system for Linux built on rootless Podman with a strong focus on isolation and security.
A key difference to normal dev-containers is that it encourages placing your entire dev environment (i.e. also the editor etc.) inside the container so that you are even protected from exploits in editor extensions for instance. This also makes it safer to allow agents (or built tools) to for instance install packages on your system since this is not the "real" system, it is only a container.
Another important feature I added to Litterbox (and one I have not seen before) is a custom SSH agent which always prompts the user to confirm a signing operation through a pop-up. This means that things inside a Litterbox do not have unrestricted access to your normal SSH agent (something which could provide rogue actors access to your Github for instance).
Then I wrote a small tool[1] to streamline my sandboxing.
Now, I run agents inside it for keeping my non-working-directory files safe.
For some tools like markdown linter, I run them without network access as well.
This won't work on Mac, right?
Here's what I use it for right now
- yarn - npm - pnpm - mdl - Ruby-based Markdown linter - fastlane - Ruby-based mobile app release tool by Google - Claude Code - Gemini CLI
Over time, my goal is to run all CLI-based tools that only need access to the current directory (and not parent directories) via this.
Imo microvm's+ dev containers seem like a good fit though
Dude, really?