Sandboxed Autonomy

Coding agents have crossed a threshold. A year ago the interesting question was whether a model could write a correct function from a prompt. Today it can run for an hour — open a branch, install dependencies, run a test suite, read the failures, and try again — largely unattended. Capability is no longer the constraint. The question is how much of that work you are willing to let happen without watching every step.

That willingness has a precondition, and the precondition is containment. You can grant an agent exactly as much independence as you can contain the consequences of its mistakes. An agent that can only touch a throwaway copy of a repository can be trusted to act freely, because the worst case is a discarded copy. An agent with production access is dangerous at any level of autonomy, because the worst case is unbounded. Sandboxing is not a safety feature bolted onto autonomy — it is what makes autonomy grantable at all.

This paper describes how Tenten AI builds execution environments for long-running coding agents: the isolation primitives we rely on (ephemeral containers and microVMs, hosted code-execution sandboxes, git worktrees for parallelism), the controls that bound the blast radius, the governance trail that makes the work auditable, and the threat model we design against.

One principle organizes all of it. Sandbox first: start with the tightest containment that still lets the agent do useful work, then loosen specific constraints as observed behavior earns it. Autonomy scales exactly as far as isolation and auditability allow, and not one step further.