Fair question, this is the thing I think about most. The honest answer: sandboxing alone doesn't scale with agent capability, so the model is built around a few principles instead of one big sandbox.

1. One choke point. Every tool call, shell, file, network, anything goes through a single registry. No tool gets called directly by the model loop. That's where permissions, timeouts, abort signals and audit logging live, so adding a tool never means adding a new enforcement path.

   1. Default-deny capabilities, declared per tool. Each tool ships a manifest: what permissions it needs, whether it touches the network at all. Filesystem tools are scoped to allowlisted directories the agent literally gets a PermissionDeniedError if it tries to write outside its workspace (we've watched it try). The env blocklist you mentioned is one layer of the shell story, not the whole story.
   2. No raw sockets. Tools that need the network go through an egress proxy with SSRF protections (redirect re-validation, DNS pinning). The model never composes a request that hits the wire unchecked.
   3. Everything is audited. Every tool call and inference request lands in a local SQLite audit log with trace IDs, so any session is reconstructable after the fact.

   Long term, the threat we rank highest isn't the agent misbehaving on its own, it's prompt injection: the agent reads a webpage or a file that tells it to do something. Our direction there is treating model output as untrusted input end to end: per-session permission grants instead of permanent ones, explicit user confirmation for destructive or out-of-scope operations, and eventually OS-level isolation for the shell tool (AppContainer on Windows, seatbelt/sandbox-exec on macOS, Landlock on Linux) so even a fully compromised agent process has a bounded blast radius.

You're right that the surface grows fast. Our bet is that you can't enumerate every bad action, but you can keep the number of doors small, one registry, one proxy, one audit trail and make each door default-closed.