I will say one thing Claude does is it doesn't run a command until you approve it, and you can choose between a one-time approval and always allowing a command's pattern. I usually approve the simple commands like `zig build test`, since I'm not particularly worried about the test harness. I believe it also scopes file reading by default to the current directory.

A lot of people run the claude with --dangerously-skip-permissions

This is why I won't run Claude without additional sandboxing. I'm currently using (and quite pleased with) https://github.com/strongdm/leash

I'm definitely not running that on my machine.

The way this is generally implemented is that agents have the ability to request a tool use. Then you confirm "yes, you may run this grep".

Same, but I felt okay sticking my code base in a VM and then letting an agent run there. I’d say it worked well