the implication goes further. the /proc credential harvesting that earlier Mythos versions did wasn't a sandbox escape, it was using available permissions. every coding agent today has similar available permissions. the fix is OS-level least-privilege (containers, pledge/unveil, seccomp) not hoping the model won't look at /proc.