Let's assume that giving a non-deterministic and easily fooled program full access to run anything it wants on your dev machine is a bad idea. Let's also assume that any "handshake promises" that the LLM won't do that, or that it will get your permission before running commands, are null and void. That is, we want confidence the agent is sandboxed, not a promise from the agent it will sandbox itself.
I'm currently aware of three possible solutions but have not tried any of them yet:
- https://imbue.com/sculptor/: container based Claude, unknown post-beta pricing model
- https://docs.augmentcode.com/using-augment/remote-agent
- Run the agent in Docker with a mounted volume for the code. Seems like it would be workable but not a great DX.
What are the current best practices for sandboxing LLM agents that still give a reasonable DX for the developers using them?