> Run pwd to see the directory you’re working in. You’ll only be able to edit files in this directory.
If you're using the agent to produce any kind of code that has access to manipulate the filesystem, may as well have it understand its own abilities as having the entirety of CRUD, not just updates. I could easily see the agent talking itself into working around "only be able to edit" with its other knowledge that it can just write a script to do whatever it wants. This also reinforces to devs that they basically shouldn't trust the agent when it comes to the filesystem.
As for pwd for existing projects, I start each session running tree local to the part of the project filesystem I want to have worked on.
Google has what I would call a generous free tier, even including Gemini 2.5 Pro (https://ai.google.dev/gemini-api/docs/rate-limits). Just get an API key from AiStudio. Also very easy to just make a switch in your agent so that if you hit up against a rate limit for one model, re-request the query with the next model. With Pro/Flash/Flash-Lite and their previews, you've got 2500+ free requests per day.
Putting it inside docker is probably fine for most use cases but it's generally not considered to be a safe sandbox AFAIK. A docker container shares kernel with the host OS which widens the attack surface.
If you want your agent to pull untrusted code from the internet and go wild while you're doing other stuff it might not be a good choice.
Could you point to some resources which talk about how docker isn't considered a safe sandbox given the network and file system restrictions I mentioned?
I understand the sharing of kernel, while I might not be aware of all of the implications. I.e. if you have some local access or other sophisticated knowledge of the network/box docker is running on, then sure you could do some damage.
But I think the chances of a whitelisted llm endpoint returning some nefarious code which could compromise the system is actually zero. We're not talking about untrusted code from the internet. These models are pretty constrained.
Also if you're doing function calls you can just have the command as one response param, and arguments array as another response param. Then just black/white list commands you either don't want to run or which should require a human to say ok.
Yeah I agree. Ultimately I would suggest not having any kind of function call which returns an arbitrary command.
Instead, think of it as if you were enabling capabilities for AppArmor, by making a function call definition for just 1 command. Then over time suss out what commands you need your agent do to and nothing more.
I dabbled with this kind of issue in my docs and ended up using JavaScript's Intersection Observer [0]. It's not a perfect solution [1], but I think it worked well enough [2]. It just identifies when the element comes on screen and then marks it as active however you please. I do appreciate the depth the article went into though!
To see what I mean, click "Creating a Feature" then start scrolling up. Notice that "Creating a Feature" is still highlighted even though the entire screen is made up of text from the "Software" section.
I probably only noticed this because I recently implemented a similar "active anchor" solution with Intersection Observer.
Location: Oregon
Remote: Yes
Willing to relocate: No
Technologies: Go/Python/TS/JS/HTML/CSS/Java/C#
Résumé/CV: https://www.linkedin.com/in/joe-mccormick-76224429/
Email: joe [-at-] keybittech.com
Been writing code for 25+ years. 10+ years professionally. Started freelancing a few years back. I've done a number of projects with the community so far, and really hoping to find new avenues currently. On the side I release a great deal of open source software at https://github.com/jcmccormick.
I've made web applications (front and back end concurrently) for the majority of my time developing. However, now I have turned my sights on to LLM use. I have now learned how to work with all kinds of backends (JAX, Transformers, PyTorch, etc.) while being able to effectively fine tune my own models (from other bases). Definitely not a math major, but I do understand the practical use and intentions of model layers, matrix multiplications, and other various inner processes of neural networks.
I am currently working on a project that produces AST parses of one of my projects (20k+ loc), turns them into embeddings, and trains a model to answer questions and help me continue to code that project. All I can say is that it does work on principle, and is just a matter of time before I'll have a generalized pipeline for such projects.
If any of this sounds valuable to you, I'm certainly looking forward to utilizing my knowledge, so please do reach out via linkedin messenger, or my email. Thanks for your time.
I made something pretty similar over winter break so I could have something read books to me. ... Then it turned into a prompting mechanism of course! It uses Whisper, Ollama, and TTS from CoquiAI. It's written in shell and should hopefully be "Posix-compliant", but it does use zenity from Ubuntu; not sure how widely used zenity is.
On routing, make sure any endpoints used between containers are (1) configurable, and (2) using the docker internal network naming conventions when working locally.
For example I have a compose with 10+ containers in it. Each container that needs to talk to another has some kind of environment property to tell it the name of that other container. So the "api" container might have a property called DB_HOST="db", "db" being the name of the db container.
Now, when developing i.e. the "api" image locally, your local dev server should be configured in the same way, providing the DB_HOST property to your local dev server environment. By doing this, you can completely stop the "api" container, allowing the local dev server to take its place, configured to talk to your other containers running in the docker network.
This way you are maintaining the local dev server setup that we've been using for ages and not developing directly on a docker image or dependent on its build cycle, etc.
https://www.twitch.tv/rifftrax
https://www.twitch.tv/mst3k