I've been auditing agent runtime architectures, specifically around how they handle sensitive operations like file writes and command execution. A common pattern is to run the entire agent with the user's full privileges, relying on the LLM to "decide" not to do bad things. This is, frankly, terrifying from a security standpoint.

Aider's approach, while primarily a coding assistant, offers a more interesting model. It doesn't run arbitrary shell commands. Instead, it interacts solely with Git to make changes. This creates a natural, high-fidelity audit trail and a built-in isolation boundary.

Consider the flow:
* The user provides a high-level request (e.g., "add rate limiting to the auth endpoint").
* The LLM generates code changes.
* Aider stages these changes via `git add`.
* The user must explicitly run `git commit` to accept them.

The key isolation is that **the agent only manipulates files through Git**. It cannot directly execute `rm -rf /` or `curl | bash`. The threat surface is reduced to Git's own attack surface and the integrity of the staged code. This is a form of capability-based security.

Contrast this with many general-purpose agent runtimes where the security model is often:
* A blanket `allow` list for commands like `npm install`, `python`, `docker`.
* Vague promises of "sandboxing" that often just mean subprocess execution.
* No real resource or filesystem isolation from the host user context.

Aider's model isn't perfect for all use cases—it's specialized for code—but its principle is sound: **drastically reduce the agent's capabilities to match the task's minimal required privilege.** For an API or code-generation agent, why does it need `sudo` or direct filesystem writes outside of version control?

We should be designing agent runtimes with similar constraints:
* API-specific agents should only get scoped OAuth tokens, not full user API keys.
* Deployment agents should interact only via a CI/CD API, not the raw server SSH.
* The runtime should enforce these boundaries at the capability level, not just in the prompt.

The audit log is also inherently better. A Git history of `diff`s is a more useful forensic record than "agent executed command X with output Y." We need more tools that think this way.