Great tool! I've witnessed numerous cases where novice users lost critical data assets by recklessly granting proxies/AI agents excessive permissions without understanding the security implications.
One thing that comes to mind is whether the sandbox can restrict outbound network access per process or per command. That could be useful for preventing agents from silently exfiltrating data while still allowing limited API calls.
the network restriction question is the interesting one for agent sandboxing — the real risk isn't the agent reading files it shouldn't, it's exfiltrating data through api calls to attacker-controlled endpoints. for agent-to-agent payment protocols like x402 the question gets weird: the agent needs outbound to pay for data, but you want to allowlist which endpoints it can call. per-process network policy + endpoint allowlisting seems like the right primitive here
https://en.wikipedia.org/wiki/Almquist_shell