# Security posture

sand-boxer limits **blast radius** — it does not enforce **intent**.

## What sandboxing provides

- Isolated compose projects and workspace directories on placement hosts
- Profile-declared network default-deny (declarative in v0; enforcement varies by extension)
- TTL-bound disposable venues with automated expire/reap
- Consumer attribution (`adm` / `agt` / `atm`) on lifecycle events

## What sandboxing does not provide

- Protection against a malicious or compromised agent *inside* the sandbox
- Guarantee that an agent follows instructions or policy
- Replacement for secrets management (use OpenBao / operator paths via `warden route`)
- Production isolation on Railiance01 (sandboxes run on sandboxer01 / CoulombCore)

Per INTENT: *"Honest security — sandboxing limits blast radius; it is not intent
enforcement."*

Operators should combine sand-boxer with flex-auth, credential routing, and
harness-level controls for end-to-end safety.