We always reset the directory back to the project directory on each command, so that helps.
But we're open to adding more restrictions so that it can't for example run `cd /usr && rm -rf .`
How about executing commands in a VM (perhaps Firecracker)?
How about executing commands in a VM (perhaps Firecracker)?