Show HN: Sandbox agents without losing your dev environment
github.comDrop is a Linux sandboxing tool with a focus on a productive local workflow. It isolates programs and agents while preserving as many aspects of your work environment as possible.
The workflow is inspired by Python's virtualenv: create an environment, enter it, work normally - but with enforced sandboxing. To create a new Drop environment and run a sandboxed shell you simply:
alice@zax:~/project$ drop init
Drop environment created with config at /home/alice/.config/drop/home-alice-project.toml
alice@zax:~/project$ drop run
(drop) alice@zax:~/project$ cat ~/.ssh/id_rsa
cat: /home/alice/.ssh/id_rsa: No such file or directory
The need for a tool like Drop had been with me for a long time. I felt uneasy installing and running out-of-distro programs with huge dependency trees and no isolation. On the other hand I dreaded the naked root@b0fecb:/# Docker shell. The main thing that makes Docker great for deploying software - a reproducible, minimal environment - gets in the way of productive development work: tools are missing from a container; config files and environment variables are all unavailable.
The last straw that made me start building Drop was LLM agents. To work well - compile code, run tests, analyze git logs - agents need access to tools installed on the machine. But giving agents unrestricted access is so clearly risky, that almost every discussion on agentic workflows includes a rant about a lack of sandboxing.
Thanks, I'd love to hear what you think.
No comments yet.