Skip to content

Agent: isolate CLI into ephemeral containers #10

Description

@pgagnidze

The agent CLI shares the app container with the database, secrets, and source. A prompt injection could read these directly from the filesystem. Output redaction catches accidental leaks but is bypassable (encoding, character separation, reversal).

Spawn each agent session in a short-lived container with only Playwright MCP access and the auth token. No database, no source, no env file. Destroy on session end. This eliminates both the filesystem access and the redaction bypass problem since the secrets are never available to the agent in the first place.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions