upvote

points

by hoppp6 hours ago |
comments
upvoteby tiew9Vii6 hours ago|
[-]
A lot of people have secrets/config files in the projects working directory but ignored by git i.e. `.env.local`

So they're following best practice, not committing secrets but agents running locally can still see them even if sandboxing to the working directory.

I've taken to storing configs using XDG_CONFIG_HOME and have the app auto resolve them by convention or take a cli arg to specify the config path. All secrets are in files, not env vars.

That way when using sandboxing the agent can never see the configs or secrets as outside the working directory.

reply
upvoteby hoppp5 hours ago|
parent|
[-]
Sounds like a good way to do it.

Makes me think of docker secret where the secrets are exposed as files and accessable only from inside the container.

If the development environment uses docker then thats a solution too I guess

reply
upvoteby SoftTalker5 hours ago|
parent|
[-]
If you let your agent use docker you've basically given it root on your machine.
reply
upvoteby hoppp4 hours ago|
parent|
[-]
I use podman btw

Its aliased to docker

Building a project as a container and giving an agent access to running docker commands are different things.

reply