Thank you, good question! My original implementation was actually a bunch of manifests on my own microk8s cluster. I was finding that this meant a lot of ad-hoc adjustments with every little tweak. (Ironic, given the whole "pets vs cattle" thing.) So I started testing the changes in a VM.
Then I was talking to a security engineer at my company, who pointed out that a VM would make him feel better about the whole thing anyway. And it occurred to me: if I packaged it as a VM, then I'd get both isolation and determinism. It would be easier to install and easier to debug.
So that's why I decided to go with a Vagrant-based installation. The obvious downside is that it's harder now to integrate it with external systems or to use the full power of whatever environment you deploy it in.
I peeked at the Vagrantfile, and I noticed that you rsync the working directory into the VM. I have two more questions.
1. Is it safe to assume that I am expected to develop inside the VM? How do run IDE/vim as well as using Claude code, while the true copy of the code lives in the VM?
2. What does yolo-cage provide on top of just running a VM? I mean, there is a lot of code in the GitHub. Is this the glue code to prepare the VM? Is this just QOL scripts to run/attach to the VM?
1. It's designed to give you an experience identical to using the Claude Code CLI in every respect, but with a much smaller blast radius. It's not currently set up to to work with your IDE. In that sense, it's a niche solution: I made it because I was trying to use a lot of agents at once, and I found that the rate-limiting factor was my ability to review and respond to permission pop-ups.
2. The VM is, in some sense, packaging. The main value adds are the two indirections between the agent and the outside world. Its access to `git` and `gh` are both mediated by a rules-based dispatcher that exercises fine-grained control in excess of what can be achieved with a PAT. HTTP requests pass through a middleware that block requests based on configurable rules.
See: A field guide to sandboxes for AI¹ on the threat models.
> I want to be direct: containers are not a sufficient security boundary for hostile code. They can be hardened, and that matters. But they still share the host kernel. The failure modes I see most often are misconfiguration and kernel/runtime bugs — plus a third one that shows up in AI systems: policy leakage.
I find using docker containers more complex - you need a Dockerfile instead of a regular install script, they tend to be very minimal and lack typical linux debugging tools for the agent, they lose state when stopped.
Instead I'm using LXC containers in a VM, which are containers that look and feel like a VM.
> It feels like the only solution is to go live in a forest, and disconnect from everything.
As much as I approve of living in forests, you don't need to go that far. Tech bros are fond of things being "frictionless," so add some friction. Delete the social media apps from your phone and use their websites instead. Don't bookmark the sites, but make yourself type in the URLs each time you want to visit. If each visit is intentional, instead of something you do automatically when you're bored, you'll have a better experience.
I always knew that "Unlimited PTO" is beneficial to the company rather than its employees. It's the same trick of "we offer [20% lower base salary than market rate] + 2.79% equity" - it sounds like you could break the bank from equity by earning less actual money, but in reality, most of this equity does not worth the bytes it occupies on the servers.
I noticed an interesting pattern. People who “made it” usually by working high paying jobs for the neofeudal lords, suddenly gain moral compass and tell the rest of us to not work for said neofeudal lords, because “money is not important”, and apparently you can buy a place to live or food to feed your family simply by having principles.
I agree with your point, and superficially OP is a prime example.
Not to excuse the guy, but I think that, looking deeper, the situation with geohot is more involved. He grew up in a lower-middle-class household and was lucky to be a smart kid in a time when being a nerd could be a ticket out.
I guess not unlike many of us here on HN.
Unlike many of us, his explorations in the corporate world were all short stints. If I’ve kept tabs correctly, he never stayed longer than a year. Sometimes only for weeks.
Apart from that, I often take the pattern you noticed more as confession, penance, and a "tell your children not to walk my way" kind of message. Maybe I read this stuff too generously.
Sure, self awareness is important. When you tell your kids not to walk your way, you take accountability. You say that what you did was bad, and you are accountable for it. You also acknowledge that what you did brought you to where you are, but given the chance you would take a different way. It’s not bad to have moral principles after you’ve done what you fight against, as long as you do it with accountability and self awareness.
“Opt out of capitalism” doesn’t work when you’re trying to feed your family. He offers no alternative, speaks from a place of safety with no acknowledgment that the people he’s addressing don’t have the same safety net as he does.[0]
He’s not wrong. We are all fucked. But if it were as simple as “not participating” (whatever that means), then we wouldn’t be.
[0]: to be fair he does address others at tech companies, maybe he assumes that everyone working in big tech has a safety net, which is perhaps not as unreasonable as I first thought.
that's why they are also more egocentric, racist, etc. When people do not feel the threat of society it is easier to have opinions that verge out of the norm or could restrict further employment (and also opinions that are wrongfully or rightfully policed in society)
Probably not a popular opinion but this is why capitalism works. We all work to compete for what is best for US and our Family, not what someone tells us to work on because they think they know whats better, they don't.
Welp, I'm worried. I like Astro, but maybe it's time to make my own SSG, to not ever end up in the hand of a few big-sharks that consolidate and enshittify everything.
It’s not only about the .env, but also intellectual property, algorithms, even product ideas.
Moreover, let’s say you run a dev server with watch mode, and ask claude to implement a feature. Claude can generate a code that reads your .env (from within the server) and send to some third party url. The watch mode would catch it and reload the server and will run the code. By the time you catch it, it’s too late. I know it’s far fetched, and maybe the paranoia is coming from my lack of understanding these tools well, but in the end they are probabilistic token generators, that were trained on all code in open existence, including malware.
It looks this way at first glance, but at the end of the article is a link to the original:
> If you’d like an essay-formatted version of this post to read or share, here’s a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
Hell no. I would mess with my stuff, no AI, no bullshit, just fun programming. But I would also do things for myself: better health, better food, better socialization.
Liquid glass is a piece of crap from Apple. I didn’t update my iPhone, nor my Mac. I will hold for as long as possible, and will consider switching away from the apple ecosystem if they do not address this fiasco of an update.
