Why this works
A CLI coding agent is just a process on Linux — it reads files, runs commands, commits. That bare simplicity is exactly why it reshaped software work: no special runtime, nothing to integrate. We change two things, and nothing else:- Put it in a container — now it is safe (isolated, no egress except through brokered tools, no lateral movement) and scalable (ephemeral, thousands in parallel).
- Point it at business data instead of dev prompts — give it a workspace of Markdown instead of a code repo, and the same loop treats knowledge as code.
How an agent runs
A trigger (message, schedule, event, or a meeting) dispatches an agent. The runtime spawns it in an isolated container with the workspace mounted; it works, commits, streams its output, and is reaped when idle. Continuity is a session file in the workspace, so a fresh container resumes instantly — nothing stays warm. The agent is untrusted by design (it is prompt-injectable). It carries a signed identity token that every boundary verifies; it never enforces anything itself, and never holds a raw credential.Trusted vs untrusted input
What an agent may do is set by where its input came from, enforced at the boundaries — never by the model:- Trusted (you, in chat) → the agent writes to the workspace directly; git is the undo.
- Untrusted (an email, a web page) → the agent runs propose-only: it suggests actions (record a task, draft a reply, send) as cards; a human approves, and trusted code applies them. Irreversible effects (send, order) are always gated.