totopo 3.6.0 → 3.6.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +21 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -10,6 +10,12 @@ Local sandbox for AI agents.
|
|
|
10
10
|
|
|
11
11
|
|
|
12
12
|
|
|
13
|
+
## Who this is for
|
|
14
|
+
|
|
15
|
+
Developers who use `claude`, `codex`, or `opencode` **interactively** — one human pair-programming with one agent.
|
|
16
|
+
|
|
17
|
+
totopo is not an orchestration tool — no SDK, no parallel agents, no per-run worktrees. If you need those, look at dedicated agent-orchestration tools instead.
|
|
18
|
+
|
|
13
19
|
## Motivation
|
|
14
20
|
|
|
15
21
|
Two fundamental risks when running AI agents locally:
|
|
@@ -50,7 +56,7 @@ A few things happen automatically:
|
|
|
50
56
|
|
|
51
57
|
- **Agents stay up to date** — totopo keeps all AI CLIs on their latest versions, checking for updates automatically.
|
|
52
58
|
- **Sessions are persistent** — agent memory and settings survive container restarts and rebuilds.
|
|
53
|
-
- **
|
|
59
|
+
- **The blast radius is bounded** — the container can't push to remote or read outside the workspace, and you can hide files like `.env` from the agent (see [Shadow Paths](#shadow-paths)). For what this does and doesn't protect against, see [Threat Model](#threat-model).
|
|
54
60
|
|
|
55
61
|
For a deeper look at how totopo works and how to configure it, see the sections below.
|
|
56
62
|
|
|
@@ -250,6 +256,20 @@ To clear memory: `npx totopo` → **Manage totopo > Clear agent memory**.
|
|
|
250
256
|
}
|
|
251
257
|
```
|
|
252
258
|
|
|
259
|
+
## Threat Model
|
|
260
|
+
|
|
261
|
+
Totopo makes everyday agent mistakes safer. It is not built to stop a determined attacker.
|
|
262
|
+
|
|
263
|
+
**What it helps with:**
|
|
264
|
+
- Confused-agent mistakes — only the workspace is at risk; the rest of your machine is invisible.
|
|
265
|
+
- Casual prompt injection — the agent can't read your SSH keys or push to your remote, because neither is in the container.
|
|
266
|
+
|
|
267
|
+
**What it does not help with:**
|
|
268
|
+
- A determined adversarial agent. The network is open, and `/usr/bin/git` is reachable by absolute path even in strict mode. Anything in the workspace can still leave over HTTP.
|
|
269
|
+
- Secrets you didn't shadow. A `.env` tracked in git is visible unless you list it in `shadow_paths`.
|
|
270
|
+
- Container escapes. Totopo uses a non-root user and `no-new-privileges`, but no capability drops or seccomp profiles. For stronger isolation, use a microVM sandbox.
|
|
271
|
+
- Edits to your working tree. The workspace is bind-mounted, so agent changes land on your real files. Commit often.
|
|
272
|
+
|
|
253
273
|
## Disclaimer
|
|
254
274
|
|
|
255
275
|
MIT licensed and fully open source. Issues welcome — no promises on response time. Use at your own risk.
|