My default mental model is that a permissive toolset can be fine if the sandbox is strong, since the worst failures should still be contained to the sandbox. I agree the tricky part is when the harness crosses the boundary and mutates external state, like making API calls or touching production resources.

In those cases, I try to make the tool interface restrictive by design, since it’s hard to know the right guardrails in advance. The goal is to eliminate entire classes of failure by making certain actions impossible, not just discouraged.

What were the actual failure modes you saw at GTWY.ai that motivated the step-gating approach?