I hope so! There's different approaches for different use cases, for sure. This seemed like a genuinely new one worth exploring and seeing where it goes. I think the benefits are that the agent "lives" where most people already work and live their online lives. Has direct web access, and all the other browser primitives I've tried to demo. But yeah, wasm especially opens up literally any kind of application as well. The guys at CheerpX have made a great engine and 64-bit is going to be a big unlock.
- Fully typed checked with JSdoc, and Bun/TS for testing.
- stdlib-js is injected into every js runner and notebook for better math capabilities than vanilla js, and also charts etc.
- App dev tasks utilize mithril for making SPAs, a very small no-dependency framework that is very fit to purpose for the client side nature of peerd apps.
- Currently on main, tabs are global objects each chat session can freely mutate, which is not great. The new in progress model has one "resident" agent own every tab. Only they have the exposed capability to mutate it, and everything between agents/sessions is message based. This has some cool properties: further isolation between contexts, mirroring the web runner subagent. Explicit ownership and scope is cleaner and better for parallel ops. Context and system prompts can be reduced and focused to the specific context the session is exposed to. The orchestrator doesn’t have any low level tab interactions available to it. The tab residents have only the tab interaction tools relevant to it, and the instructions specific to the tab type (js notebook, linux vm, app dev, etc). Over time model usage can be tuned and optimized for each specific context etc.
If the web runners return summarized results and those are still treated as untrusted, what's stopping a summary itself from carrying the injection up to the main loop?
It's defense in depth, definitely not a silver bullet. The web runner has no access to wider capabilities outside of that page. So the only path for a prompt injection to do anything is to try and get itself included in the summary, and get the main loop to act on an instruction in that summary. That means getting pass two sets of <untrusted> tags and explicit instructions to treat everything inside as information, not instruction. Then the egress checkpoint and allow/deny whitelists are the final guards regardless of what the main loop decides to do. Trying to harden wherever I can if you have any recs.
I'm going to do a Simon here and coin "Markdown hoarding" for the Claudeism of producing reams of hyper-dense prose and compounding it with every commit that touches docs. The documentation gets more and more bloated.
The critique is with Opus here, not the author, but to me the default Claude voice reads "Look I'M OPUS I'M SO TECHNICAL AND SMART AND LOVE JARGON! INHALES"
SSRF / private-network guard — blocks loopback/LAN/link-local incl. inet_aton encodings, IPv6 (::1, ULA, IPv4-mapped/NAT64), *.localhost/*.local; honest that DNS rebinding is out of scope. peerd-egress/fetch/private-network.js
That's cool. Sounds very impressive. What's the point of all this security though?
You don't want it to access your files, just give it its own Linux user. You don't even need a container.
Better yet, you can give it root on a $3 VPS (or $30 Thinkpad) and get a sysadmin for free :)
Although, Cheerpx... that seems to imply your agent can play Java and Flash games. Alright, you might be on to something!
I hope so! There's different approaches for different use cases, for sure. This seemed like a genuinely new one worth exploring and seeing where it goes. I think the benefits are that the agent "lives" where most people already work and live their online lives. Has direct web access, and all the other browser primitives I've tried to demo. But yeah, wasm especially opens up literally any kind of application as well. The guys at CheerpX have made a great engine and 64-bit is going to be a big unlock.
> just give it its own Linux user
it's never "just" ...
(for example: how do you manage this across multiple isolated sessions?)
opening a browser is much easier
... and the entry barrier for non-linux people at your company is much much lower
... and the compliance barrier for companies is much much lower (how do you ensure that everyone creates the users correctly?)
Author here. Some other technical tidbits:
- Fully typed checked with JSdoc, and Bun/TS for testing.
- stdlib-js is injected into every js runner and notebook for better math capabilities than vanilla js, and also charts etc.
- App dev tasks utilize mithril for making SPAs, a very small no-dependency framework that is very fit to purpose for the client side nature of peerd apps.
- Currently on main, tabs are global objects each chat session can freely mutate, which is not great. The new in progress model has one "resident" agent own every tab. Only they have the exposed capability to mutate it, and everything between agents/sessions is message based. This has some cool properties: further isolation between contexts, mirroring the web runner subagent. Explicit ownership and scope is cleaner and better for parallel ops. Context and system prompts can be reduced and focused to the specific context the session is exposed to. The orchestrator doesn’t have any low level tab interactions available to it. The tab residents have only the tab interaction tools relevant to it, and the instructions specific to the tab type (js notebook, linux vm, app dev, etc). Over time model usage can be tuned and optimized for each specific context etc.
JSdoc? Not typescript? What is this, 2010?
It's vanilla JS with no unnecessary build step. Runs in the browser as is, and easy to audit.
If the web runners return summarized results and those are still treated as untrusted, what's stopping a summary itself from carrying the injection up to the main loop?
It's defense in depth, definitely not a silver bullet. The web runner has no access to wider capabilities outside of that page. So the only path for a prompt injection to do anything is to try and get itself included in the summary, and get the main loop to act on an instruction in that summary. That means getting pass two sets of <untrusted> tags and explicit instructions to treat everything inside as information, not instruction. Then the egress checkpoint and allow/deny whitelists are the final guards regardless of what the main loop decides to do. Trying to harden wherever I can if you have any recs.
> The name is always lowercase: peerd.
Gotta love it when agent instructions get blurted out in user-facing documentation
It's a project convention for human contributors as well. Agree it can probably be relocated though.
Moved
> The bet is structural
Why has AI writing become so insufferable?
The project would be a lot more credible if the feature list wasn't so comically extensive and verbose [1]. Slop overload.
[1] https://github.com/NotASithLord/peerd/blob/main/FEATURES.md
I'm going to do a Simon here and coin "Markdown hoarding" for the Claudeism of producing reams of hyper-dense prose and compounding it with every commit that touches docs. The documentation gets more and more bloated.
The critique is with Opus here, not the author, but to me the default Claude voice reads "Look I'M OPUS I'M SO TECHNICAL AND SMART AND LOVE JARGON! INHALES"
DNS rebinding does not need that much belaboring.Scrubbed. Taking a fresh pass through.