Comment by netcoyote

14 hours ago

I'm playing around with sandboxing techniques on Mac so I can isolate AI tools and prevent them from interacting with files they shouldn't have access to -- like all my dotfiles, AWS credentials, and such.

I've created two open-source solutions, one which uses a VM (https://github.com/webcoyote/clodpod) and another which creates a limited-user account with access to a shared directory (https://github.com/webcoyote/sandvault).

Along the way I rolled my own git-multi-hook solution (https://github.com/webcoyote/git-multi-hook) to use git hooks for shellcheck-ing, ending files with blank lines, and avoid committing things that shouldn't be in source control.

6 comments

netcoyote

LaFolle 12 hours ago

Have you seen tart https://tart.run/ ?

netcoyote 10 hours ago

Yes; the ClodPod project uses tart to build & run the VM. My project is a lot of scripts to make the whole thing turnkey.

thethimble 13 hours ago

Have you considered using docker? Seems possibly more lightweight than a VM with more isolation than a user account based method.

netcoyote 13 hours ago

Yes, I've used docker and podman. They're great. But I wanted to be able to run Xcode and IOS simulator, which requires macOS, so developed these solutions.
itake 12 hours ago

My gripe with docker vs native code is docker is just slow to build. or maybe im just not using it right.
asimovDev 12 hours ago

on macOS Docker is just a QEMU VM underneath, to my limited understanding, so not a big difference I think