Compute

Every workload runs under gVisor — a user-space kernel that mediates syscalls before they reach the host. Inside the sandbox, CapEff and CapBnd are zero, no-new-privs is on, and securebits (secure-noroot, secure-no-suid-fixup, secure-keep-caps) are locked. Root inside the container has nothing to escalate to.

The interfaces with the largest historical bug count are blocked entirely: io_uring, bpf, perf_event_open, userfaultfd, fanotify, and kexec_load all return permission denied. /dev/kcore, /dev/mem, and /dev/port don't exist; /sys/kernel is empty; host block-device mounts aren't visible.

Every sandbox launches with its own OIDC-compliant cloud identity, scoped to that workload alone. When self-hosted on Kubernetes, no service account token is mounted into the workload — it cannot authenticate to the cluster API by default.

Restrict outbound egress to a hostname or CIDR allowlist; off-list traffic is dropped silently at the network layer. Raw packet sockets (AF_PACKET) and link-level admin (ip link) are blocked outright — a compromised agent can't sniff the wire or reconfigure interfaces.

Sandboxes call MCP servers through the gateway, authenticated by their workload identity. The gateway holds the real credential and proxies the call — agents get tool access without ever seeing the upstream key.

Per-session WireGuard tunnels with dynamically negotiated keys, scoped to a single workload. Connect sandboxes to each other or bridge to on-prem databases without exposing them to the public internet.