On the one hand, yes this has obviously high immediate value; on the other hand, I can't help but feel like you are giving access to multiple tools that can be used for arbitrary code execution anyway (i.e. running tests, installing dependencies, or running any linter that has a plugin system...), so blacklisting `git --exec-path=/bin/sh` for example is... Misguided? You would have a better time containing the agent in an environment without internet access?
It’s not misguided. The goal isn’t prefect security, the goal is mitigating risk and collaborating with cross functional security, compliance, platform, operations, etc… teams.
Use Jules, also by Google if you need what you describe.
