I wanted my assistant to be able to actually do things. Run scripts, read files, execute code.
The moment I wired that up, something felt off. Not dramatically — just the basic instinct that something with shell access and persistent memory probably shouldn't have unrestricted reach.
And if I'm running multiple conversation contexts, I don't want them touching each other.
So I added container isolation.
Every conversation in Deus now runs in its own container — Docker on Linux, Apple Container on macOS.
Each gets an isolated filesystem and isolated memory. When the session ends, the container goes with it.
A few things this solves:
- The host machine stays clean
- contexts don't share state
- and — this surprised me — it made me more willing to give the agent permissions within the container.
The blast radius is scoped.
It's a better mental model than trying to specify everything via prompt.
Is this overkill for Q&A? Yes.
Did it feel like the right call the moment shell access entered the picture? Also yes.
Top comments (0)