Yoloai Alternatives

yoloai reviews and mentions

• AI Coding at Home Without Going Broke
  9 projects | news.ycombinator.com | 13 Jun 2026

  > I'm guessing the next thing I should probably look into is some sort of machine vm I can tunnel my codex-gui requests to so I don't have to deal with the sandbox approvals (I don't want to give it "dangerous" access to my entire mac).

  This is what https://github.com/kstenerud/yoloai does.

  Sandboxing using Docker, Podman, containerd (linux only), seatbelt (macos only), tart (macos only), apple container (macos 26+ only).

  It takes a copy of your workdir, does its thing inside of the sandbox, and you pull the results back using git semantics:

      $ yoloai new mybugfix . -a # launch default sandbox in . and also attach the terminal

• I'm waiting for Claude to rm rf my computer
  1 project | news.ycombinator.com | 6 Jun 2026

  You could just use https://github.com/kstenerud/yoloai to keep it contained while allowing all permissions. That's how I code with AI now. Can't imagine going back.

• The ways we contain Claude across products
  3 projects | news.ycombinator.com | 3 Jun 2026

  "Design for containment at the environment layer first, then steer behavior at the model layer. "

  Umm... yeah? This is what I've been arguing for a long time now, and it's the primary reason why I wrote https://github.com/kstenerud/yoloai and use it as my daily-driver. I can't imagine running an agent without it.

  The environment layer is deterministic; the model layer is probabilistic. If your only defense is "the model is well-behaved" you've bet your crown jewels on a coin that happens to land heads most of the time.

  Also, "blast radius" isn't just one axis. You have:

  - Destruction radius: How many things INSIDE your workdir can get clobbered.

  - Collateral damage radius: How many things OUTSIDE your workdir can get clobbered.

  - Review radius: Are the changes gated on your review? Can you copy/diff/apply the changes the agent made to a copy INSIDE the container, to your real workdir OUTSIDE of the container?

  - Credential radius: How many credentials does your agent have access to? What bad things can it do with them?

  - Exfiltration radius: Network restrictions help here, but they don't guarantee that your secrets won't be exposed in a sneaky way. Don't expose the secrets to your agent to begin with.

• Show HN: Continue? Y/N: A 60-second game about AI agent permission fatigue
  6 projects | news.ycombinator.com | 28 May 2026

  You might want to check out https://github.com/kstenerud/yoloai

• The last six months in LLMs in five minutes
  7 projects | news.ycombinator.com | 18 May 2026
• Claude Code runs Git reset –hard origin/main against project repo every 10 mins
  4 projects | news.ycombinator.com | 29 Mar 2026
• Don't YOLO your file system
  17 projects | news.ycombinator.com | 27 Mar 2026

  Not famous last words ;-)

  I've already shipped this and use it myself every day. I'm the author of yoloAI (https://github.com/kstenerud/yoloai), which is built around exactly this model.

  The agent runs inside a Docker container or containerd vm (or seatbelt container or Tart vm on mac), against a full copy of your project directory. When it's done, `yoloai diff` gives you a unified diff of everything it changed. `yoloai apply` lands it. `yoloai reset` throws it away so you can make the agent try again. The copy lives in the sandbox, so your working tree is untouched until you explicitly say so.

  The merge step turned out to be straightforward: just use git under the hood. The harder parts were: (a) making it fast enough that the copy doesn't add annoying startup overhead, (b) handling the .pyc/.venv/.git/hooks concern you raised (they're excluded from the diff surface by default), and (c) credential injection so the agent can actually reach its API without you mounting your whole home dir.

  Leveraging existing tech is where it's at. Each does one thing and does it well. Network isolation is done via iptables in Docker, for example.

  Still early/beta but it's working. Happy to compare notes if you're building something similar.

• "Disregard That " Attacks
  1 project | news.ycombinator.com | 25 Mar 2026

  There are two issues to solve:

  1: Protecting against bad things (prompt injections, overeager agents, etc)

  2: Containing the blast radius (preventing agents from even reaching sensitive things)

  The companies building the agents make a best-effort attempt against #1 (guardrails, permissions, etc), and nothing against #2. It's why I use https://github.com/kstenerud/yoloai

• Claude Code auto mode: a safer way to skip permissions
  2 projects | news.ycombinator.com | 25 Mar 2026

  That's a bit better, but the subtleties of even the basic shell commands is enough that you still need to be conservative. Plus there's still the issue of the approve/deny mechanism being part of the agent process, and thus subvertable by the agent.

  I took a different approach with https://github.com/kstenerud/yoloai

  - The agent is put entirely in a container or VM sandbox (docker, podman, gvisor, kata, seatbelt, tart)

  - The agent safely runs with --dangerously-skip-permissions because it can't touch your files or system directly.

  - You review the results of its work using "yoloai diff mysandbox"

  - You selectively apply the results of its work using "yoloai apply mysandbox". Commits it makes are available to cherry pick or just accept whole.

• Ask HN: Is anyone here giving their MCP server a code execution environment?
  1 project | news.ycombinator.com | 24 Mar 2026

  I wrote https://github.com/kstenerud/yoloai to sandbox agents so that they can do whatever they want inside (with --dangerously-skip-permissions), including write, compile and code to perform their tasks. It also supports MCP forwarding.

• A note from our sponsor - SaaSHub
  www.saashub.com | 15 Jun 2026

  SaaSHub helps you find the best software and product alternatives Learn more →