Operating Properties

Architectural properties customers should plan around.

• Bootstrap once per workspace before first terminal attach.

• Access-broker sessions are short-lived; re-auth is the model. Long-running flows rely on the workspace-side session multiplexer for persistence — the workspace keeps running while the user is offline. Workspace ≠ session (see Three Timescales of Sandbox Lifecycle).

• Outbound is allowlisted, not generic. Broad public-internet reach belongs in a public-data sandbox.

• Workspace profile is immutable post-provisioning. Profile or OS-family change requires reprovision.

• Single-tenant per workspace. Sharing happens through repos, tickets and chat — not by handing access to a workspace.

• Workspace state is local and ephemeral relative to enterprise systems. Long-lived state belongs in upstream services (source control, object storage, ticketing). Push frequently so a rebuild is not destructive.

• Authority inherits from the user. SSO-valid + portal-entitled + broker-current; no workspace-grants-access fallback. The agent inherits a policy-defined subset of the user’s permissions — never a separate authority.

• Consequential writes are human-reviewed, asynchronously. Agents read / search / summarize / draft without review; change / delete / send / publish require human approval.