Run agents in isolated runtimes with brokered access, persistent state, and no direct internet egress by default.
You don’t “SSH into a box.” You open through an access gateway using short-lived, one-time links and session-bound access.
Direct access is blocked by design. If a URL leaks, it won’t stay valid, and the runtime only accepts requests that prove they came through the gateway.
Each agent runs in a single-tenant runtime with a dedicated workspace.
Control-plane credentials stay outside the tenant runtime. If an agent misbehaves, blast radius is scoped to its own workspace and runtime environment—not your laptop or home network.
Default-deny networking. The tenant has no direct internet egress.
If you enable outbound access, it’s only via controlled gateways/allowlists—so your agent can’t quietly phone home with your API keys, scrape the open web, or spray requests across random IPs.
The compute can be disposable. Your work isn’t. State persists via a dedicated volume mounted at /data.
If the runtime gets wedged, you can restart or recreate it without losing your workspace.