Summary
To make predict-rlm useful for repo-aware and workspace-aware tasks while preserving sandbox safety, it would help to support host-configured directory mounts into the runtime.
This is especially important for embedding into systems that work on codebases or structured local artifacts.
Problem
A lot of realistic recursive tasks need visibility into a workspace:
- inspect a repository
- read files directly
- analyze local documents
- write proposed changes into a scratch area
- compare generated artifacts
If the runtime only sees inline input blobs, that becomes too limiting.
At the same time, giving unrestricted host filesystem access would undermine the sandbox model.
Proposed direction
Allow the host to mount selected directories into the runtime with explicit permissions:
- read-only mount
- read-write mount
- optional path restrictions
- optional scratch/temp mount
Desired properties
- host explicitly chooses what paths are mounted
- mounts are visible in run configuration and trace metadata
- read-only vs read-write is enforced
- no implicit access to the full host filesystem
- paths outside mounts are inaccessible by default
Example
An embedding system could mount:
- the current repo as read-only
- a temp working directory as read-write
- generated context files as read-only
This would cover many real use cases without breaking the security model.
Why this matters
For code and document workflows, mounted dirs are the cleanest middle ground between:
- everything is sandboxed and useless
- the runtime has arbitrary host filesystem access
Use cases
- codebase analysis
- documentation processing
- generating patches into a scratch area
- test artifact inspection
- local project reasoning inside a controlled boundary
Acceptance criteria
- host can define one or more mounted directories
- each mount has explicit permissions
- runtime can access mounted paths but not arbitrary host paths
- docs explain the security model clearly
- structured trace/config includes mount metadata
Summary
To make
predict-rlmuseful for repo-aware and workspace-aware tasks while preserving sandbox safety, it would help to support host-configured directory mounts into the runtime.This is especially important for embedding into systems that work on codebases or structured local artifacts.
Problem
A lot of realistic recursive tasks need visibility into a workspace:
If the runtime only sees inline input blobs, that becomes too limiting.
At the same time, giving unrestricted host filesystem access would undermine the sandbox model.
Proposed direction
Allow the host to mount selected directories into the runtime with explicit permissions:
Desired properties
Example
An embedding system could mount:
This would cover many real use cases without breaking the security model.
Why this matters
For code and document workflows, mounted dirs are the cleanest middle ground between:
Use cases
Acceptance criteria