I don't understand why I keep seeing posts like this, but nobody appears to know that DevContainers exist.

In a Jetbrains IDE, for example, you check a devcontainer.json file into your repository. This file describes how to build a Docker image (or points to a Dockerfile you already have). When you open up a project, the IDE builds the Docker image, automatically installs a language-server backend into it, and launches a remote frontend connected to that container (which may run on the same or a different machine from where the frontend runs).

If you do anything with an AI agent, that thing happens inside the remote container where the project code files are. If you compile anything, or run anything, that happens in the container too. The project directory itself is synced back to your local system but your home directory (and all its credentials) are off-limits to things inside the container.

It's actually easier to do this than to not, since it provides reusable developer tooling that can be shared among all team members, and gives you consistent dependency versions used for local compilation/profiling/debugging/whatever.

DevContainers are supported by a number of IDEs including VSCode.

You should be using them for non-vibe projects. You should DEFINITELY be using them for vibe projects.

It's a variation of sandboxing which is a great idea. Even just using a separate user account on your laptop provides some useful level of isolation (as long as you don't give it sudo privileges). AI tools of course do some sandboxing of their own. It's just that the constant nagging for permissions causes people to negate most of that by giving very broad access outside the sandbox.

The downside for me and the main reason I do use vms less than I did a few months ago is that I need my agentic coding tools to use development tools a lot. And those tools need a lot of resources. And I have those resources on my laptop. Which is a nice mac book pro with plenty of RAM and 16 CPUs. I can run vms on this thing without issues of course. But tools just run a lot faster when I run them outside those VMs. And agentic coding tools run builds all the time. We're talking some really non trivial time savings here. Watching qemu build a thing for 10 minutes that I know should build in 45 seconds is painful. Especially if it happens over and over again.

The trick is doing sandboxing without performance impact. And very soon you'll also want to be able to run local models. I've been toying with the latest qwen and gemma models on my laptop. I haven't gotten around to doing coding with those just yet. But apparently they aren't completely horrible at it. That won't work on most cloud based vms. Unless you get a really big and expensive one. You could actually make that work if you only use them for a few minutes.

I would guess OpenAI Codex and Claude Code are well into the millions subscriber range at this point. I would venture to guess the majority of them run in yolo mode. I have only seen a few horror stories on reddit. The same way any time you drive a car you can crash and die (many times through no fault of your own).

All that said, no way in hell I’m giving either access to production databases or environments.

The fact that Claude can and does access files outside the PWD while asking for sudo to do things constantly seems to be a recipe for Anthropic scanning your system without your knowledge and saving that for 5 years if you decided to 'help improve Claude'.

No, 'safety oriented' lab has a clause like that which can't be revoked historically. Anthropic, like the majority of 'don't be evil' firms is apart of the great masquerade.

I remember someone on HN once saying they treat LLM agents like human coworkers, security-wise, and that stuck with me.

You don't give your GH keys, email credentials and ssh keys to a coworker. They have their own accounts with scoped permissions. Need them to read an email? Forward it. Need them to work on a repo? Add them as a contributor and enforce the same branch policies you would for any human.

There are still risks, but they're similar to delegating work to humans, so it's up to you how much access and trust to give.

I use a separate user account per project on my local machine (not in sudoers), which I ssh to, and also runs tmux. If I need claude code in windows, then I run a VM. The performance and (in)convenience cost of this to me is minimal. I started working this way in order to limit the "blast radius" when claude went on a dependency binge within a project.

This works well for vibecoding on a codebase in isolation, which to be fair is what the author is addressing. I don’t think it solves the problems at the current frontier of agent use though, where you expose internal infrastructure via tools to make the agent maximally productive. How to do this safely is still unsolved

OrcaBot does this with the VM but whereas the author mentions the risk of GitHub keys being leaked, OrcaBot uses a key broker to ensure the LLM doesn’t have access to any keys. It even works on the API keys to the LLMs themselves. https://orcabot.com/blog#breaking-the-lethal-trifecta

> I SSH into that server with key-forwarding

Almost back to point A then. If the server is compromised in some way, they can use (not copy) OP's keys and use them to clone repos/inject code/etc..

bsd is super easy for this kind of setup tbh. Sylve or Bastille is amazing for it. 1 liner jails setups etc. its real quick and efficient. depending on flavor u can also use pledge/unveil or capsicum or whatever to lock things down even more.

I've been doing something similar by letting Claude run in a Virtualbox VM. It's easy to use, no issues with observability, and the attack & damage surface is far less of an issue.

Generally a good idea, but I'm not sure why you should even want to fork a git repo when a local clone should be sufficient. But this is probably a terminology mixup from the way github presents forks and clones.

I've been successful with getting incus running with this for sandboxing the opencode session. I plan on writing a blog post on it.

This is what dev.exe is great for, and it comes with Pi and its own coding agent Shelley preloaded. Also it’s incredibly fast and you can easily access the VMs from your phone.

This is what yoloAI does. Automatically.

    # Create a new sandbox copying . as workdir (default container, but you can choose vm)
    yoloai new mybugfix . --isolation vm

    # attach to it (it has tmux already)
    yoloai attach mybugfix

    # Chat with the bot inside...

    # Happy with its work? Diff it to be sure
    yoloai diff mybugfix

    # Happy with the changes? Apply them to your workdir
    yoloai apply mybugfix

    # All done? Destroy the sandbox
    yoloai destroy mybugfix

The agent stays isolated at all times. No access to your secrets (except what you want), no access to your workdir until you apply. You can also easily restrict network access.

https://github.com/kstenerud/yoloai

My other Mac mini is the cloud ;)

IM new to Claude code but doesnt auth require a gui browser to authenticate the Claude session first time login?? Do you have to setup a desktop environment just for that?

the old hacker trick of using ssh

I’m building a claw / vibe coding platform that’s business safe at https://housecat.com and am also finding all the old Unix tricks working as well as ever…

- user and home directory for data

- crontab for scheduled jobs

- cgi for serving user space apps

- rsync for backups

We even rediscovered email patches but with agent to agent help making and applying them.

It’s simpler for us to operate and the agent to figure out.

Also, "ssh -A" is your friend. Keep your ssh key on your yubikey where you control it. Let Claude play on it's own VM and in its own clone of your repo. Only when you choose to add the -A, do you temporarily, for that one ssh connection, have the possibility to push Claude's work to your repo, where you can review it.

Treat it as a colleague, making PRs that you review.

Why not just not vibecode? Safer methods of injecting recreational narcotics, such madness.

...and proxy your llm traffic with your own per session tokens – if it leaks, it doesn't matter, not a real token.

Apparently using SSH is some leet hacker thing according to this OP. Lmao...

"Vibecoding?"

Gotta love how someone downvoted this.

[dead]

[dead]

[dead]

[dead]

[flagged]