← All postsLæs på dansk
ENvibe-codedagent-security

The Security Reset

When building agentic systems, everything we've done historically needs rethinking—1000+ hours learning how.

It's becoming clearer every week: everything we've built up until now needs a security reset. Not an update. A reset.

I've spent over 1000 hours in the past 16 months working with devcontainers and the alternatives—VMs in the cloud, dedicated machines like my Hetzner box. And here's the uncomfortable truth: the foundational security model we've always relied on is breaking under the weight of agentic development.

For years, devcontainers were the answer. VS Code made them magical—just connect, and suddenly your SSH keys, your git credentials, everything flows in seamlessly. It's brilliant UX. Until an agent is on the other end of that connection.

I've been working intensely these past three months trying to replicate the logic VS Code uses when it connects to devcontainers. The more I've learned, the more I've realized how much danger is hiding in those defaults. Your SSH agent gets copied in. Your git credentials are accessible. Your SSH keys are right there. This is fine when a human developer is the only one accessing those tools. It's existential risk when your agent can SSH into your development machine and pull data you didn't even know it could access.

Take docker-in-docker on devcontainers. Most people don't realize it runs with the --privileged flag (it's documented, but it's a default most only discover when testing what their agent can actually do). That means a container can access host data when user IDs overlap. It's not a bug—it's how Docker works. But now we have agents running inside that.

The examples keep piling up. Bolt's CEO claimed their webcontainers were secure by default. That's only true if you never put anything sensitive inside them. Supply chain attacks aren't theoretical anymore—they're the actual attack surface we need to defend.

I'm not a security researcher. I just asked Claude to hack my own setup and found the vulnerabilities myself.

The conclusion I've reached, and I'm increasingly convinced of it: agents cannot work in environments where we're applying historical developer tooling logic. Everything an agent touches must exist in complete isolation. No SSH agent forwarding. No git credentials flowing in through pipes and environment variables designed for a human at the keyboard. No --privileged containers.

This isn't a limitation we can patch around. This is the price of agents accessing the same tools we've been using for two decades. Those tools were built for humans who could make judgment calls. An agent will use them exactly as designed, exactly as you taught it, and that's the problem.

The security reset isn't coming. It's already here. And anyone building seriously with agents right now needs to accept that their development environment might need to look radically different from what they're used to.

Part of the #100DaysToOffload documenting agentic development in 2026