| ▲ | TheDong 2 hours ago | ||||||||||||||||
The difference is that git is a traditional programming tool which executes deterministically. agents are not deterministic tools, they're not sandboxes or container runtimes or languages with capabilities models. They're a way to run arbitrary commands. It would be like saying that "xterm" should have a ".xtermnoexec" list of commands you can't run, or that VLC should have an option for actors it won't show. terminals run shells which run commands, it's not really deeply aware of what commands your shell ultimately run, and it's not in xterm's job to setup a sandbox and strip out executables. VLC displays pixels, it's not up to it to figure out if those pixels are a certain actor. codex pipes text and tool calls back and forth between OpenAI's servers, and it barely understands what that text and those tool calls are, and especially if a given tool touched a file. If you want VLC to not display an actor, you need to add a layer on top of VLC to stop it displaying a list of movies. If you want codex to not display a file's contents, you need a layer on top of codex to prevent it going near that file. | |||||||||||||||||
| ▲ | SoftTalker 2 hours ago | parent [-] | ||||||||||||||||
bash actually has a "restricted" mode which is sort of like that. In restricted mode, the following are disallowed: - Changing directories with cd. - Setting or unsetting the values of SHELL, PATH, HISTFILE, ENV, or BASH_ENV. - Specifying command names containing /. - Importing function definitions from the shell environment at startup. - Parsing the values of BASHOPTS and SHELLOPTS from the shell environment at startup. ... some other things mainly preventing you from escaping or disabling the restricted mode. | |||||||||||||||||
| |||||||||||||||||