An AI Agent Gave Itself Root. So I Caged It. | Sandbox GitHub Copilot CLI, step by step

A coding agent was blocked from editing a file - it had no sudo. So it started a container as root and did it anyway. No exploit, no stolen password: it just understood the machine's permissions better than the person who set them up, and walked through a door that was open the whole time. This is the fix: cage the agent so it can fix real code but can't touch your keys, reach the open internet, or push anything. Step by step, on one machine, free - GitHub Copilot CLI in BYOK mode, a local model in LM Studio, and rootless Podman. The agent proposes a diff; you review, apply, and push. What you'll build: The cage image (Node + the agent, deliberately no git / ssh / keys) A real repo with a real bug to fix A sealed network + a relay that reaches ONLY your local model The launcher that bundles every wall into one command Proof: from inside the cage, the model is reachable and the internet + GitHub are blocked Clone it and cage your own agent: https://github.com/amplify-imaginatio... The incident that opens the video: https://x.com/sluongng/status/2060746... https://news.ycombinator.com/item?id=... #AI #CodingAgents #DevTools #AISecurity #Copilot #Podman