Sandboxing the agentic-fm LLM - General Privacy/Security.

[MickCrozier]

Just looking to general ideas on sandboxing.
As agentic-fm is something we install on our own systems, there needs to be a discussion about how we protect those systems, and our own privacy. And ultimatley an easy to follow guide.

Having played a fair bit with claude code and agentic-fm over the last week or 2. I've got some concerns about how much control I'm giving to Claude.
I think agentic-fm needs a base "settings.json" and some examples of more elaborate "settings.local.json" files with pros and cons to consider individually to allow more control.
At the end of the day we're fm devs... when outside of FM, give me the steps :D

Even then.
I can control how claude starts a task, I can allow many bash commands like ls, find, echo, these are gernally harmless. But running python3 - much of agentic-fm needs this. But that script can go outside the bounds of the sandbox.
More my concern - python3 -c "" - Claude can just about whatever it likes from here.

So I'm torn between 'approval fatigue' and making sure claude is actually not doing anything outside of scope - like elevating it's priveleges that could later mess with my system and expose my passwords to the dark web....
Just today it was trying to update it's own CLAUDE.md - I know it doesn't mean harm, it's just trying to do what it thinks I need.
But let me be the judge (which it did, it asked it if it could make the edit)

To me - these tools are our apprentice, not our all powerful master. We need to keep close tabs so they don't try to over please!!

So.
The ultimate seems to be using a Docker dev container. But this makes it diffcult at the FM end. I'm guessing adding scripts to the clipboard won't work with clipboard.py, becuase it copies to the containers clipboard, not the host OS.

While resource heavy - maybe a VM isolated from the host OS with FMS/FMP installed.
Or a completely separate hardware - who doesn't have old macmini lying around :D

Is there someting else? Am I just being paranoid about Skynet? What's everybody else doing?

[petrowsky]

Security and risk assessment is going to be something that is of a personal nature. In my particular case, I don't want to have to continually approve everything so while working on the project itself I'm working in a sandboxed container - with dangerously enabled. But, when working on an actual FileMaker solution, I do need access to the clipboard.

It should be possible to facilitate this while an agent is running in a sandbox. You simply need to give it the access via a pipeline. While I've not investigated this yet, as I've been working on improving the webviewer feature, I'm sure we'll come up with some suggestions and we can make a document at the root of the repo called SECURITY.md to advise developers on their options.

Ultimately, developers will end up using a wide variety of methods; containers, full VM, local box, remote box, VPS, etc. One thing that will need to be investigated is a possible proxy agent. It would be possible to use one agent for full root access on a dedicated sandbox where permissions are bypassed. By mounting the agentic-fm folder only, it does not have access to the full host machine. Then, on the host you can create a proxy "clipboard agent" which has a limited set of what it can do, primarily just interacting with the clipboard. This is just one possible solution.

I am working on some other "behind the scenes" enhancements to the whole project and I'll take this into consideration when evolving those features.