If you grant access to the Nix daemon socket but not writing outside the current directory, that's an effective sandbox. It allows evaluating derivations but not actually installing them.
If you invoke Claude Code with --input-format stream-json --output-format stream-json, you can use it headlessly. I built a personal UI / orchestration framework around it. Most features are available, but not exactly all (e.g. there is no way to undo via this protocol, but you can still do it manually by terminating / editing the session file / resuming). Other agentic software has similar features (Codex uses JSON-RPC, Copilot CLI has ACP which is also based on JSON-RPC).
Can you share what made this behavior obvious to you? E.g. when I first saw Open Code, it looked like yet another implementation of Claude Code, Codex-CLI, Gemini-CLI, Project Goose, etc. - all these are TUI apps for agentic coding. However, from these, only Open Code automatically started an unauthenticated web server when I simply started the TUI, so this came as a surprise to me.
> Browsers don't let random pages on the internet hit localhost without prompting you anymore
No, that's a Chrome-specific feature that Google added. It is not part of any standard, and does not exist in other browsers (e.g. Safari and Firefox).
> The rest is just code running as your user can talk to code running as your user
No, that assumes that there is only a single user on the machine, and there are either no forms of isolation or that all forms of isolation also use private network namespaces, which has not been how daemons are isolated in UNIX or by systemd. For example, if you were to ever run OpenCode as root, any local process can trivially gain root as well.
Huh? I have this permission in Firefox right now. It looks like Safari handles this with the OS local network permission.
True I did assume machines are single user, I haven't seen a shared computer in ages. Doing local development I have insecure/incomplete software listening on localhost all the time while developing it. And lots of people have passwordless sudo, or unprivileged access to the docker socket so protection against local processes running as me is not part of my threat model. And I know this is pretty dev centric but OpenCode is dev centric as well.
Looks like it's impossible for me to use this service - when I try to submit the form, I get a reCAPTCHA challenge. By the time I complete it (Google requires me to make several attempts, each one being several pages), the page errors out in the background with "reCAPTCHA execution timeout".
I don't think you understand. This website imposes its own time limit within which I must solve the CAPTCHA. Taking your time to solve the challenge slowly will not allow you to proceed, because the website's timeout will have expired.
- Formally stabilizing flakes has been long awaited by everyone, I think.
- Parallel evaluation will improve developer experience - evaluation speed seems to be at the top of the list of feedback I've received from colleagues whom I've invited to try Nix.
- I'm hoping lazy trees will provide a better experience for flakes in monorepos.
Unfortunately I haven't had a great experience with the Determinate Nix installer when I tried it, though that was a while ago (shortly after launch) so may warrant revisiting.
I'm also concerned about the growing schism between Determinate Systems and the Nix community, as can be seen in the Discourse thread. I think there are opportunities to strengthen that bridge, e.g. naming things perhaps such that it's not possible to misinterpret this announcement as "Nix 3.0".
I am also curious to know what is your strategy for upholding the flakes stability guarantee without forking Nix. I'm not sure what the governance structure or roadmap is of the community Nix project, but would it not be possible that the project would want to eventually introduce a breaking change (e.g. to revisit the cross-compilation or parameterization aspects) that would affect Determinate Nix users?
reply