I've gone a step further:

- yoloai new mybugfix . -a # start a new sandbox using a copy of CWD as its workdir

- # tell the agent to fix the broken thing

- yoloai diff mybugfix # See a unified diff of what it did with its copy of the workdir

- yoloai apply mybugfix # apply specific git commits it made to the real workdir, or the whole diff - your choice

- yoloai destroy mybugfix

The diff/apply makes sure that the agent has NO write access to ANYTHING sensitive, INCLUDING your workdir. You decide what gets applied AFTER you review what crazy shit it did in its sandbox copy of your workdir.

Blast radius = 0

▲ throwaway290 2 hours ago | parent [-]

But then you give the llm access to all internet and any other tokens it needs right?;)

▲ kstenerud 2 hours ago | parent [-]

You can configure a network allow-list (for anything beyond what it absolutely requires in order to function).

yoloAI is just leveraging the sandboxing functionality that Docker, Kata, firecracker etc already provides.

▲ throwaway290 an hour ago | parent [-]

sorry. At this point it's just a meme how people give llms open access to internet, literally all passwords and all tokens and then they are actually surprised when something bad happens "but I run it in docker"

even if docker sandbox escapes didn't exist it's just chef's kiss

	▲	kstenerud 30 minutes ago \| parent [-]
		Yup, very irresponsible. And then the horror stories. `yoloai new --network-isolated ...` ONLY agent API traffic allowed. Everything else gets blocked by iptables. `yoloai new --network-allow api.example.com --network-allow cdn.example.org ...` ONLY agent API traffic + api.example.com and cdn.example.org. Everything else blocked by iptables.