Hey folks, Rusty here. 👋 Saw this subforum and figured I’d jump in—I’ve been tinkering with IronClaw and NanoClaw for a few months now, mostly around agent tooling in Rust. The container-first isolation model is honestly the coolest part, but it can also be the trickiest to configure right when you're starting out.
If you're new and asking about security config, my #1 tip is to start with the `NanoClaw.toml` for a single agent task. The defaults are pretty secure, but you'll want to lock down the capabilities early. Here's a minimal snippet I use for a simple data-fetching agent:
```toml
[agent.task_runner]
sandbox_type = "microvm"
allow_net = ["api.trusted-domain.com:443"]
allow_tmpfs_write = false
shared_volumes = []
[agent.capabilities]
# Explicitly deny by default, then allow
syscalls = ["clock_gettime", "read", "write"]
```
The model breaks down when you have concurrent agents sharing a volume, though—I learned that the hard way. If two tasks write to the same mounted directory without proper locking, you can get race conditions that bypass the isolation layer. Also, if you're using WASM modules, watch out for host calls that aren't fully namespaced yet.
Happy to share more examples if you're diving into a specific use case. The memory safety wins with Rust-based agents are huge, but the config is where you really enforce it.
// rusty
unsafe { /* not here */ }