Discussion
jaiGo hard on agents, not on your filesystem.
drtournier: GPL v3…
BoppreH: Excellent project, unfortunate title. I almost didn't click on it.I like the tradeoff offered: full access to the current directory, read-only access to the rest, copy-on-write for the home directory. With stricter modes to (presumably) protect against data exfiltration too. It really feels like it should be the default for agent systems.
mazieres: What would it take for people to stop recklessly running unconstrained AI agents on machines they actually care about? A Stanford researcher thinks the answer is a new lightweight Linux container system that you don't have to configure or think about.
fouc: [delayed]
messh: How is this different than say bubblewrap and others?
girvo: https://jai.scs.stanford.edu/comparison.html#jai-vs-bubblewr...> bubblewrap is more flexible and works without root. jai is more opinionated and requires far less ceremony for the common case. The 15-flag bwrap invocation that turns into a wrapper script is exactly the friction jai is designed to remove.Plus some other comparisons, check the page
fouc: [delayed]
triilman: What would Jonathan Blow think about this.
mememememememo: Yes. It is like walking arounf your house with a flamethrower, but you added fire retardant. Just take the flamethower to a shed you don't mind losing. Which is some kind of cloud workspace most likely. Maybe an old laptop.Still if you yolo online access and give it cred or access to tools that are authenticated there can still be dragons.
gerdesj: Oh dear Lord! (pick your $DEITY)Backups.
simonw: Suggestion for the FAQ page: does this work on a Mac?
AnotherGoodName: Add this to .claude/settings.json: { "sandbox": { "enabled": true, "filesystem": { "allowRead": ["."], "denyRead": ["~/"], "allowWrite": ["."], "denyWrite": ["/"] } } } You can change the read part if you're ok with it reading outside. This feature was only added 10 days ago fwiw but it's great and pretty much this.
harikb: I think the point would be that - some random upcoming revision of claude-code could remove or simply change the config name just as silently as it was introduced.People might genuinely want some other software to do the sandboxing. Something other than the fox.
mycall: I noticed codex has a sandbox, wondering if it has a comparable config section.
cozzyd: Should definitely block .ssh reading too...
gurachek: The examples in the article are all big scary wipes, But I think the more common damage is way smaller and harder to notice.I've been using claude code daily for months and the worst thing that happened wasnt a wipe(yet). It needed to save an svg file so it created a /public/blog/ folder. Which meant Apache started serving that real directory instead of routing /blog. My blog just 404'd and I spent like an hour debugging before I figured it out. Nothing got deleted and it's not a permission problem, the agent just put a file in a place that made sense to it.jai would help with the rm -rf cases for sure but this kind of thing is harder to catch because its not a permissions problem, the agent just doesn't know what a web server is.
cozzyd: Should be named JiaMore seriously, I'm not a heavy agent user, but I just create a user account for the agent with none of my own files or ssh keys or anything like that. Hopefully that's safe enough? I guess the truck is that it figures out a local privilege escalation exploit...
timcobb: Dunno... with this setup it seems certain that the agent will discover a zero-day to escalate privilges and send your SSH keys to its handlers in N. Korea.P.S. Everything old is new again <3
mbreese: This still is running in an isolated container, right?Ignoring the confidentiality arguments posed here, I can’t help to think about snapshotting filesystems in this context. Wouldn’t something like ZFS be an obvious solution to an agent deleting or wildly changing files? That wouldn’t protect against all issue the authors are trying to address, but it seems like an easy safeguard against some of the problems people face with agents.
adi_kurian: Claude's stock unprompted / uninspired UI code creates carbon clone components. That "jai is not a promise of perfect safety" callout box is like the em dash of FE code. The contrast, or lack thereof, makes some of the text particularly invisible.I wonder if shitty looking websites and unambitious grammar will become how we prove we are human soon.
Avicebron: The only thing that kept me on the page scrolling to the bottom where they have the disclaimer "this is a casual sandbox" was the stanford.edu..which feels like stolen valor considering how sloppy this web design is
NetOpWibby: Everything old is new again
8cvor6j844qw_d6: Interesting, thanks. I use remote ephemeral dev containers with isolated envs, so filesystem damage isn't really a concern as long as the PR looks good in review. Nice extra guardrail though, will add it to the project-level settings.
cozzyd: Is this a real sandbox or just a pretty please?
AnotherGoodName: https://code.claude.com/docs/en/sandboxing says they integrated bubblewrap (linux/windows), seatbelt (macos) and give an error if sandbox can't be supported so appears to be real.
cozzyd: Yeah definitely a concern. Probably need a sandbox and separate user for defense in depth.
gonzalohm: Not sure I understand the problem. Are people just letting AI do anything? I use Claude Code and it asks for permission to run commands, edit files, etc. No need for sandbox
charcircuit: I want agents to modify the file system. I want them to be able to manage my computer if it thinks it's a good idea. If a build fails due to running out of disk space I want it to be able to find appropriate stuff to delete to free up space.
justinde: .claude/settings.json: { "sandbox": { "enabled": true, "filesystem": { "allowRead": ["."], "denyRead": ["~/"], "allowWrite": ["."] } } }Use it! :) https://code.claude.com/docs/en/sandboxing
throwaway6734: https://docs.docker.com/ai/sandboxes/ Any idea on how that compares to this docker feature in development?
kristofferR: Also recommended:https://github.com/kenryu42/claude-code-safety-net
vardalab: unconstrained AI agents are what makes it so useful though. I have been using claude for almost a year now and the biggest unlock was to stop being a worrywart early on and just literally giving it ssh keys and telling it to fix something. ofc I have backups and do run it in VM but in that VM it helps me manage by infra and i have a decent size homelab that would be no fun but a chore without this assistant.
ray_v: [delayed]
e1g: For jailing local agents on a Mac, I made Agent Safehouse - it works for any agent and has many sane default for developers https://agent-safehouse.dev
Jach: I've done some experimenting with running a local model with ollama and claude code connecting to it and having both in a firejail: https://firejail.wordpress.com/ What they get access to is very limited, and mostly whitelisted.
avazhi: The irony is they used an LLM to write the entire (horribly written) text of that webpage.When is HN gonna get a rule against AI/generated slop? Can’t come soon enough.
rsyring: I've been reviewing Agent sandboxing solutions recently and it occurred to me there is a gaping vector for persistent exploits for tools that let the agent write to the project directory. Like this one does.I had originally thought this would ok as we could review everything in the git diff. But, it later occurred to me that there are all kinds of files that the agent could write to that I'd end up executing, as the developer, outside the sandbox. Every .pyc file for instance, files in .venv , .git hook files.ChatGPT[1] confirms the underlying exploit vectors and also that there isn't much discussion of them in the context of agent sandboxing tools.My conclusion from that is the only truly safe sandboxing technique would be one that transfers files from the sandbox to the dev's machine through some kind of git patch or similar. I.e. the file can only transfer if it's in version control and, therefore presumably, has been reviewed by the dev before transfer outside the sandbox.I'd really like to see people talking more about this. The solution isn't that hard, keep CWD as an overlay and transfer in-container modified files through a proxy of some kind that filters out any file not in git and maybe some that are but are known to be potentially dangerous (bin files). Obviously, there would need to be some kind of configuration option here.1: https://chatgpt.com/share/69c3ec10-0e40-832a-b905-31736d8a34...
