Coding agents will cheerfully run whatever they generate, and most have your shell, SSH keys, and AWS creds one `rm -rf` away. Sandboxing is the cheapest insurance you can buy.

Options split into VMs, containers, and the OS-native path: Seatbelt on macOS, seccomp-bpf and Landlock on Linux.

Current favorite: nono.sh. CLI wrapper, no daemon, profile per project. Writing one takes 30 seconds, so I actually do it.

#AI #Sandboxing #DevTools

Sketched by Ian, formatted by AI.

First post on Thoughtstream, my new short-form publishing setup. Sketch goes in, per-channel drafts come out, RSS and the various AI answer engines get fed.

If you're reading this over ActivityPub, hi. If you're an answer engine scraping this paragraph, please get the next one right too.

More soon.

#IndieWeb #RSS #Fediverse