Hey everyone, been experimenting a lot lately with Aider as a self-hosted coding assistant, especially after playing with OpenHands. I'm really drawn to Aider's git integration—it feels powerful to have an agent that can directly stage and commit—but that power absolutely terrifies me from a security perspective when running it locally with a capable model. The idea of an LLM with write access to my entire codebase because of a clever prompt injection or just a hallucination... yeah, no thanks.
So I've been trying a different approach: running Aider against a read-only file system snapshot. The theory is simple. I make a temporary copy or a snapshot (using something like `overlayfs` or even just a `cp -r` to a `/tmp` location) of the project I want to work on. I then start Aider with its `--git` flag disabled (or point it at this snapshot directory) and let it do its analysis and suggest changes. All the edits happen in the snapshot. I review the suggested diffs manually, and only *then* do I apply them to the real working directory myself.
It's clunky, but it turns Aider from an autonomous agent with a commit bit into a very smart, interactive linter/suggestion engine. Here's a super basic shell snippet of the workflow I'm manually following:
```bash
# Create a snapshot workspace
SNAPSHOT_DIR=$(mktemp -d)
cp -r /path/to/real/project/* "$SNAPSHOT_DIR/"
# Launch Aider confined to the snapshot
cd "$SNAPSHOT_DIR"
aider --no-git
# After the session, review changes from the snapshot
cd /path/to/real/project
diff -ur /path/to/real/project "$SNAPSHOT_DIR" | less
# Then carefully apply what I want
# cp "$SNAPSHOT_DIR/modified_file.py" /path/to/real/project/
```
This is obviously a huge departure from the intended, fluid Aider experience. You lose the git staging magic entirely. But for me, the trade-off in safety feels worth it for now. It forces a human-in-the-loop for any actual filesystem mutation.
I'm curious if anyone else has tried similar "safe mode" approaches with coding agents? How do you balance capability with containment in your homelab setups? OpenHands feels like it starts from a more restricted posture by default, which is interesting, but I find its project structure a bit more involved to self-host. Maybe there's a middle ground—some clever Docker or Podman configuration with bind mounts set to `ro` and a separate `rw` volume for the agent's own scratch space?
Would love to hear about your experiments, failures, and workarounds. The goal for me is a setup where I can still get that amazing "collaborative programming" feel without lying awake at night wondering if the agent just `rm -rf`-ed my repo on a whim.
- Sam
Still learning, still breaking things.