I’m Andrew I. Christianson (co-author) from Gobii. This post is the production sandbox we built for running untrusted agent workloads: per-agent isolation (gVisor), default-deny egress with proxy-only outbound, deterministic filespace sync, and audit logs for every tool call.

Happy to answer anything, especially threat model edge cases and failure modes. Code links are in the post if you want to go straight to implementation.