Spawn and manage isolated agent workspaces in the terminal. Like Docker, but pure shell — no daemon, no container runtime.

Each agent gets its own isolated workspace directory and a dedicated tmux session.

macOS — sandbox-exec (Seatbelt): deny-by-default filesystem policy; agents can only write to their workspace and /tmp Linux — bwrap (bubblewrap): unshared PID/IPC/UTS namespaces; workspace bind-mounted to /workspace Fallback — unrestricted shell in workspace directory (with a warning)