An isolated agent execution mode that contains the blast radius: file access scoped to the workspace, network off by default and git restricted to read-only, enforceable org-wide.