The guardrails question is real. If you give an LLM access to your infrastructure — actual file writes, actual service restarts, actual database queries — and it hallucinates a tool call or gets confused mid-task, you have a problem. A real one, not a theoretical risk. I know this because I've been running agents with real infrastructure access since February. Five project contexts, each with its own scope and capabilities. Dev handles code repos. Infra manages Docker stacks, reverse proxy configs, and deploy scripts. Research does web search and architecture planning. The system runs on a dedicated mini PC called claudebox that exists for this purpose. Nothing has gone catastrophically wrong. That's not luck — or at least, I didn't want it to be luck. Here's the architecture. The problem with the VM approach Giving a local LLM access inside a VM is a real answer. You limit blast radius. If the agent does something harmful, the damage is contained. Wipe it and start over.…