You seem pretty cool and in it for the fun. May I make one feature request that would cause me to try it? A big reassuring READ ONLY mode that sandboxes file writes to zero. Of course that would constrain some of the product from working, that’s okay.
The default mode it uses for approving LLM tools is already read-only - it has a quite complicated (but conservative) bash parser that tries to let things that are definitely read-only get approved without bothering the user. It also has a tool for exploring the codebase where the LLM provides javascript code that runs in a sandbox with a read-only filesystem class.
But the architecture is such that this core functionality is just a plugin, and anyone can write their own custom approval filter plugin, and make it do whatever you want