Where this falls down is that for the agents to interact with anything external, you have to give them keys. Without a proxy handling real keys between your agent and external services, those keys are at risk of compromise.
replyAlso. Agents are very good at hacking “security penetration testing”, so “separate user” would not give me enough confidence against malicious context.
So don't let them interact with anything external. You can push and pull to their git project folders over the local filesystem or network, they don't even need access to a remote.
replyUnless you are talking about running a local model, that’s not possible.
replyObviously if you're running Claude Code you need a token for that and an internet connection, that's kind of a given. What I'm talking about is permission (OS level, not a leaky sandbox) to access the user's files, environment variables, project credentials for git remotes, signing keys, etc etc.
replyThe user thing is what I currently do too. I've thought about containers but then it's confusing for everyone when I ask it to create and use containers itself.
reply