That's a bit better, but the subtleties of even the basic shell commands is enough that you still need to be conservative. Plus there's still the issue of the approve/deny mechanism being part of the agent process, and thus subvertable by the agent.

I took a different approach with https://github.com/kstenerud/yoloai

- The agent is put entirely in a container or VM sandbox (docker, podman, gvisor, kata, seatbelt, tart)

- The agent safely runs with --dangerously-skip-permissions because it can't touch your files or system directly. You can even restrict its network access.

- You review the results of its work using "yoloai diff mysandbox"

- You selectively apply the results of its work using "yoloai apply mysandbox". Commits it makes are available to cherry pick or just accept whole.

A workaround for their own badly thought out permissions system? More likely another internal fix they decided to release.

[dead]