| ▲ | mdavid626 3 hours ago |
| I trust sandbox-exec more, or Docker on Linux. Those come from the OS, well tested and known. MITM proxy is nice idea to avoid leaking secrets. Isn’t it very brittle though? Anthropic changes some URL-s and it’ll break. |
|
| ▲ | afshinmeh 3 hours ago | parent [-] |
| Thanks for sharing that. Zerobox _does_ use the native OS sandboxing mechanisms (e.g. seatbelt) under the hood. I'm not trying to reinvent the wheel when it comes to sandboxing. Re the URLs, I agree, that's why I added wildcard support, e.g. `*.openai.com` for secret injection as well as network call filtering. |
| |
| ▲ | mdavid626 3 hours ago | parent | next [-] | | You know, the thing is, that it is super easy to create such tools with AI nowadays. …and if you create your own, you can avoid these unnecessary abstractions. You get exactly what you want. | |
| ▲ | mdavid626 3 hours ago | parent | prev [-] | | How do you intercept network traffic on mac os? How do you fake certificates? | | |
| ▲ | afshinmeh 3 hours ago | parent [-] | | Zerobox creates a cert in `~/.zerobox/cert` on the first proxy run and reuses that. The MTIM process uses that cert to make the calls, inject certs, etc. This is actually done by the underlying Codex crate. | | |
| ▲ | mdavid626 3 hours ago | parent [-] | | Yeah, but how does the sandboxed process “know” that it has to go through the proxy? How does it trust your certificate? Is the proxy fully transparent? | | |
| ▲ | afshinmeh 3 hours ago | parent [-] | | Oh I see. It inject HTTP_PROXY/HTTPS_PROXY/etc. env vars into the process so that all sandboxed subprocesses go through the proxy. |
|
|
|
|
