This is the way. If you’re not running your agent harness/framework in a container with explicit bind mounts or copy-on-build then you’re doing it wrong. Whenever I see someone complain about filesystem access and sequirity risk it’s a clear signal of incompetence imo.
reply> container with explicit bind mounts
replySomeone correct me if I'm wrong, but if you're doing bind-mounts, ensure you do read-only, if you're doing bi-directional bind mounts with docker, the agent could (and most likely know how to) create a symlink that allows them to browse outside the bind mount.
That's why I explicitly made my tooling do "Create container, copy over $PWD, once agent completes, copy back to $PWD" rather than the bind-mount stuff.