Comment by justvugg
2 days ago
Hi Thanks for the comment, The unified agent doesn’t execute untrusted code — it orchestrates. Side effects only happen at explicit execution boundaries (remote tools or the CodeAgent). The CodeAgent is sandboxed in Docker; the planner/router isn’t, because it never executes arbitrary code. Least-privilege and auditing are enforced at the execution boundary, not per function. Do you have any suggestions for making PolyMCP better?
Makes sense — execution boundary is the right place.
I'd prioritize audit logs + correlation IDs, and short-lived creds per tool call. Do you expose tool capabilities to the planner without exposing creds?