It's mainly from experience. From when I set it up I didn't have the feature to ask whether to run commands. It has been rawdogging commands this whole time and has never been a problem for me.

I think we have many other users who are similar. To be fair, sometimes after watching it install packages with npm, people are surprised and say that they would have preferred that it asked. But usually this is just the initial reaction. I'm pretty confident this is the way forward.

Do you have any sandbox-like restrictions in place to ensure that commands are limited to only touching the project folder not any other places in the system?

You can use pledge[1] to restrict the tool to read/write only in specific directories, or only use certain system calls. This is easier to run than from a container or VM, but can be a bit fiddly to setup at first.

Assuming you trust it with the files in your codebase, and them being shared with third parties. Which is a hard pill to swallow for a proprietary program.

[1]: https://justine.lol/pledge/

We always reset the directory back to the project directory on each command, so that helps.

But we're open to adding more restrictions so that it can't for example run `cd /usr && rm -rf .`

How about executing commands in a VM (perhaps Firecracker)?