security

While importing some race data for My Mind is Racing, I ran Claude inside a Nono sandbox whose whole job was to block network egress. Claude reached hosts well outside its allow list anyway. When I asked how, the answer was a small lesson in the difference between containing a process and containing an agent.

A small gh one-liner that turns on private vulnerability reporting for every public, non-archived, non-fork repo you own — or every repo in an org you administer — so security researchers have a sanctioned channel to report issues before they go public.

Dependabot’s defaults can make it look like an agent of chaos. Here’s how cooldowns, dependency groups, and a Claude skill turn down the churn — fewer rebases, boring CI, and a few extra days for the world to flag the bad actors.