We run everything through a custom wrapper that logs all shell invocations to a separate Vector pipeline before execution, helps with audit trails, but doesn't really solve the problem of "what if the model decides to rm -rf /". Are you planning any kind of capability-based sandboxing, or just hoping the model doesn't get weird with API credentials it has access to? fwiw that's the bigger risk in our setup.