Hey HN. I got nervous about prompt injection bypassing standard agent SDKs by just calling node:fs directly. I built this to monkey-patch core modules and log a 'receipt' of what the agent actually did. I know it's not a hard OS sandbox, and Deno handles this better natively, but I wanted a pragmatic seatbelt for existing Node codebases. Would love feedback!

I wrote a short thread and included a screenshot of the UI catching a redacted key here: https://x.com/LocalhostLegend/status/2043511508408160666