Safety and governance
Parity with modern agent hardening — explicit modules, not bolt-on regex lists only.
Egress checks resolve hostnames before connecting to catch rebinding and private-network traps.
Tool arguments are Unicode-sanitized at ingress; denial budgets escalate chronic blocked commands.
Team governance, identity exports, and audit taxonomies complement repo-local policy files.
Permission lint catches conflicting autonomy modes before they ship to CI.