That's a bit better, but the subtleties of even the basic shell commands is enough that you still need to be conservative. Plus there's still the issue of the approve/deny mechanism being part of the agent process, and thus subvertable by the agent.
- The agent is put entirely in a container or VM sandbox (docker, podman, gvisor, kata, seatbelt, tart)
- The agent safely runs with --dangerously-skip-permissions because it can't touch your files or system directly. You can even restrict its network access.
- You review the results of its work using "yoloai diff mysandbox"
- You selectively apply the results of its work using "yoloai apply mysandbox". Commits it makes are available to cherry pick or just accept whole.
That's a bit better, but the subtleties of even the basic shell commands is enough that you still need to be conservative. Plus there's still the issue of the approve/deny mechanism being part of the agent process, and thus subvertable by the agent.
I took a different approach with https://github.com/kstenerud/yoloai
- The agent is put entirely in a container or VM sandbox (docker, podman, gvisor, kata, seatbelt, tart)
- The agent safely runs with --dangerously-skip-permissions because it can't touch your files or system directly. You can even restrict its network access.
- You review the results of its work using "yoloai diff mysandbox"
- You selectively apply the results of its work using "yoloai apply mysandbox". Commits it makes are available to cherry pick or just accept whole.
[dead]
A workaround for their own badly thought out permissions system? More likely another internal fix they decided to release.
[flagged]
[dead]