Problem

FileSystemTools currently allows agents to read, write, and edit any file on the filesystem using absolute paths. There is no mechanism to restrict operations to a specific directory. This is a security concern when deploying agents in shared or untrusted environments — a misbehaving or prompt-injected agent could read sensitive files (e.g., ~/.ssh/id_rsa, /etc/passwd) or overwrite arbitrary paths.

Proposed Solution

Add an optional sandboxDirectory configuration to FileSystemTools that, when set, restricts all file operations to paths within that directory. Any attempt to access a path outside the sandbox should return an error.

Suggested behavior:

• If sandboxDirectory is null (default), behavior is unchanged for backwards compatibility.
• If sandboxDirectory is set, all resolved paths must be within it. Path traversal attempts (e.g., ../../etc/passwd) should be detected and rejected by resolving the canonical path before the check.
• The Builder should expose a sandboxDirectory(Path path) method to configure this.

Example usage:

FileSystemTools tools = FileSystemTools.builder()
    .sandboxDirectory(Path.of("/workspace/project"))
    .build();

Error returned when access is denied:

Error: Access denied. Path is outside the allowed sandbox directory: /etc/passwd