[ptx]

And it sounds like the proxy can be easily circumvented by the agent, since it only applies within the Node process and the agent can execute arbitrary external commands.

(The filesystem wrapper API sounds even more pointless. The risk it protects against seems insignificant compared to the other risks associated with their system.)

[solarkraft]

The proxy can be circumvented if the agent can execute arbitrary commands. This is where you’d start if you were planning to enable a world in which it’s more deliberately scoped.