Podman sandbox pi-less-yolo to contain blast radius of AI changes

[cjermain]

I built a small container sandbox shim for pi-coding-agent that makes using pi "less YOLO".

pi runs with full access to your filesystem by default. A misunderstood instruction or a loop going sideways can touch files outside the project you're working in.

pi-less-yolo wraps pi in a Chainguard-based container that only mounts your current working directory and the necessary pi configuration files -- nothing else in the host is reachable. It scopes the permissions to avoid privilege escalation. A mise task makes it mise run pi from any project directory.

cd my-project && mise run pi

I originally wrote this with Docker, and @danone-dev added Podman support via --userns=keep-id, which is needed in rootless Podman so the container UID matches the host user. Because Podman is drop-in compatible with the Docker CLI, extending the existing CI to test both runtimes on each PR required almost no changes.

While this is "less YOLO", there are still known security gaps. Network access is unrestricted, which can allow exfiltration of files. Container escapes exist, and the mounted directory is fully writable.

https://github.com/cjermain/pi-less-yolo

Happy to take feedback in the pi-less-yolo GitHub Issues.