惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threatpost
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Engineering at Meta
Engineering at Meta
T
The Blog of Author Tim Ferriss
Recent Announcements
Recent Announcements
G
Google Developers Blog
Google DeepMind News
Google DeepMind News
The Register - Security
The Register - Security
MongoDB | Blog
MongoDB | Blog
U
Unit 42
B
Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
L
LangChain Blog
Stack Overflow Blog
Stack Overflow Blog
P
Privacy International News Feed
L
LINUX DO - 最新话题
博客园_首页
博客园 - Franky
大猫的无限游戏
大猫的无限游戏
小众软件
小众软件
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Tor Project blog
V
Visual Studio Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
P
Privacy & Cybersecurity Law Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
K
Kaspersky official blog
C
Cisco Blogs
博客园 - 【当耐特】
阮一峰的网络日志
阮一峰的网络日志
I
Intezer
罗磊的独立博客
MyScale Blog
MyScale Blog
Last Week in AI
Last Week in AI
A
About on SuperTechFans
G
GRAHAM CLULEY
Y
Y Combinator Blog
Microsoft Security Blog
Microsoft Security Blog
GbyAI
GbyAI
T
Threat Research - Cisco Blogs
P
Proofpoint News Feed
D
DataBreaches.Net
The Hacker News
The Hacker News
Spread Privacy
Spread Privacy
AWS News Blog
AWS News Blog
I
InfoQ
T
The Exploit Database - CXSecurity.com
Simon Willison's Weblog
Simon Willison's Weblog
博客园 - 叶小钗
Project Zero
Project Zero

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
the developer laptop is the first production environment for agents
Paulo Victor Leite Lima Gomes · 2026-06-05 · via DEV Community

Docker published a post this week about securing AI agents, and the most interesting part was not really Docker.

The post makes the now-familiar argument that agents need execution isolation, tool access control, identity and credential management, and runtime monitoring. It also says the quiet part clearly: permission prompts are not enough.

That should be obvious.

It is not obvious enough.

Most of the discussion around coding agents still treats the developer machine as a convenient place where the magic happens. The agent runs in your editor. It sees the repository. It can call tools. It can read logs, run tests, install packages, open browsers, hit APIs, and sometimes push code. If it asks nicely before doing the scary thing, we call that security.

This is backwards.

The developer laptop is becoming the first production environment for agents.

local does not mean low risk

We have a bad habit of treating local development as safer than production because it is smaller.

Production has customer data, uptime guarantees, compliance rules, and dashboards. The laptop has a half-finished branch, a terminal, and a human nearby, so we relax.

But a modern developer machine is a wonderful target.

It has source code, cloud credentials, package manager tokens, SSH keys, browser sessions, local databases full of copied production-shaped data, and access to staging systems that are often less locked down than production. It also has build scripts that can run arbitrary code.

Now put an agent on that machine and give it the same tool surface a senior engineer uses.

That is not a chatbot anymore.

That is an automation actor inside one of the most privileged environments in the company.

permission prompts are a user interface, not a boundary

The obvious answer is to ask the human for permission.

Can I run this command?

Can I edit this file?

Can I access the network?

Can I install this dependency?

Prompts are useful. I like them. They slow things down just enough that I sometimes notice the agent is about to do something silly.

But prompts are not a security model.

They depend on the human understanding the full consequence of an action at the moment the prompt appears. That is a lot to ask when the command is npm install, the dependency graph is 800 packages deep, and the agent presents it as the next obvious step.

The prompt says "run tests."

The test runner executes lifecycle scripts.

The lifecycle script reads an environment variable.

The environment variable contains a token that can deploy to staging.

The human clicked yes because running tests is normal.

This is why runtime containment matters. A useful prompt can ask for intent. A real boundary limits blast radius when intent and consequence drift apart.

agents need less trust than developers

There is an uncomfortable point here: agents should usually have less authority than the developer supervising them.

That sounds inefficient. It is also how every other automation system eventually grows up.

We do not give CI the CEO's laptop because it needs to run tests. We do not give a GitHub Action every cloud permission because one deployment step needs one credential. We do not let a build worker freely write to every repository because it might be convenient someday.

We scope automation because automation is fast, literal, and bad at knowing when the surrounding context has changed.

Coding agents are the same category of problem, just with a more charming interface.

An agent editing a README does not need AWS credentials. An agent refactoring a parser does not need the network by default. An agent generating a migration should not be able to apply it to a shared database unless that is an explicit, isolated workflow. An agent investigating a bug may need redacted logs through a narrow tool, not a shell with access to everything the human can reach.

The useful default is not "this is my assistant, so it inherits my machine."

The useful default is "this is an automation process, so it gets the smallest workspace and tool set that can complete the task."

the old sandbox conversation is back

This is the part I find funny in a tired way.

We spent years building containers, microVMs, CI isolation, network policies, service accounts, secret managers, and audit trails. Then AI coding tools arrived and a lot of demos quietly stepped around those lessons because the local magic was too good to interrupt.

Now we are rediscovering the same architecture.

Run the agent in an isolated workspace. Mount only the files it needs. Give it an explicit network policy. Pass credentials through scoped tools instead of ambient environment variables. Separate read-only inspection from write-capable actions. Keep enough evidence that a human reviewer can reconstruct the path from prompt to diff.

None of this is exotic. It is just platform engineering applied to the developer machine.

Docker talking about agent isolation is interesting because Docker already won the mental model for "this process gets a filesystem, a network shape, and a boundary." MicroVMs push the boundary further. Operating system features will keep moving in the same direction. Microsoft is already talking about agent runtime boundaries at the platform layer.

The direction is clear: agent security is moving below the app and editor.

It has to.

the laptop is where policy gets tested first

The enterprise version of this conversation will eventually become very formal.

There will be agent identities, audit APIs, policy engines, approved tool catalogs, model routing rules, and budget controls. There will be dashboards showing which agent touched which repo under which human supervisor.

Before that, there is a laptop.

That is where the first bad patterns appear:

  • agents reading files they did not need
  • agents installing packages from the public internet without review
  • agents using broad human credentials because scoped credentials are annoying
  • agents producing diffs without enough execution evidence
  • agents running commands whose side effects nobody inspected
  • agents mixing trusted project state with untrusted generated artifacts

Those are not hypothetical enterprise governance problems. They happen during ordinary development when the tool is good enough to keep using and not mature enough to fully trust.

The laptop is where the policy either becomes ergonomic or dies.

If the secure path is too slow, developers will route around it. If the isolated environment cannot run the project, they will turn it off. If credential scoping breaks every useful workflow, the broad token comes back. If the audit trail is unreadable, reviewers will ignore it.

Agent security has to be boring, local, and fast enough that people leave it on.

what i would do now

If I were responsible for rolling coding agents into an engineering team, I would start with local containment before writing a grand AI governance document.

First, separate workspaces. The agent should operate in a copy, branch, container, or sandbox where accidental writes are cheap. The human can review and promote the result.

Second, make network access explicit. Many coding tasks do not need the internet. The ones that do should say why. Package installation should be treated as a supply-chain event, not as background noise.

Third, remove ambient credentials. If the agent needs to call a service, give it a scoped tool or short-lived credential for that task. Do not let it inherit every token the developer happened to have in their shell.

Fourth, preserve evidence. Commands, outputs, files changed, tests run, and external calls should be visible in a reviewable trail. The human reviewer should not have to trust the agent's summary of what happened.

Fifth, make the safe path pleasant. This is the boring product work. If the sandbox takes five minutes to start, nobody will use it. If the policy requires twenty approvals for a typo fix, people will disable it. Security that cannot survive daily development is a memo, not a system.

the punchline

Local coding agents feel personal because they sit in the editor and speak in first person.

Operationally, they are automation systems running inside a privileged environment.

That distinction matters.

The developer laptop has source code, credentials, build tools, staging access, and a human who is busy trying to ship. It is not a toy environment just because it is local. For agents, it is the first production environment, and it deserves production-shaped boundaries.

Permission prompts are useful. They are not enough.

The real product is containment, identity, scoped tools, audit trails, and a workflow developers will actually keep turned on.

Welcome back to software engineering. The agent is new. The security problem is not.

references

To test my projects, I use Railway. If you want $20 USD to get started, use this link.