I dont. I use this as my coding harness (replacement of gemini-cli/claudecode etc). I dont want to sandbox it because I expect it to be used only for coding on projects. I dont want to over complicate it.
I am building my own assistant as an AI harness - that is definitely getting sandboxed to run only as a VM on my Mac.
I use a sandbox example extension with comes with Pi, it uses the anthropic sandbox runtime (bubblewrap on linux). The runtime has one bug and needs one improvement (I've made PRs, no response yet). Pi's sandbox example extension does not block internal tools (read/write) according to rules, I've created a PR but can't submit because of Pi's OSS vacation BS... https://github.com/badlogic/pi-mono/compare/main...k3a:pi-mo... I am quite happy with my patched forks for now
I just told PI to generate itself a permissioned_* equivalents of read,write,bash,edit. Now, permissioned_read,permissioned_write,permissioned_edit have full access to anything from current dir and deeper, and permissioned_bash is always permission-gated.
Default read,edit,write,bash are disabled.
It seems to work really good.
Generally, I'm in awe. I think I've already changed the way I work.
reacharavindh|6 days ago
I am building my own assistant as an AI harness - that is definitely getting sandboxed to run only as a VM on my Mac.
neop1x|5 days ago
self_awareness|4 days ago
Default read,edit,write,bash are disabled.
It seems to work really good.
Generally, I'm in awe. I think I've already changed the way I work.