goblinforge.dev · agentic ai infrastructure

Safe by Default.
Agentic AI
Workstations.

Run powerful AI coding agents inside a bounded Linux workspace with governed inference, no ambient egress, non-root execution, snapshot recovery, and secret-safe service boundaries.

Request Early AccessRead the Doctrine →
sentinel 7/7 · prototype
The Problem

AI agents are running
with dangerous defaults.

Root containers. Broad internet egress. Package registry access. Mounted workspaces. Credentials exposed to model context. The attack surface is the entire machine.

Root container execution
Broad internet egress
Package registry access (npm, pip, cargo)
Mounted host workspaces
Credentials in model context window
No egress logging or audit trail
No snapshot or rollback capability
attack surface: the entire machine
The Approach
01

The VM is sacrificial.

Each agent runs inside a bounded Linux VM. The workspace is sacrificial, snapshot-recoverable, and operator-controlled. State persists only where the operator chooses.

02

The membrane is sacred.

A governed proxy sits between the agent and the outside world. Every allowed outbound call is logged, filtered, and scored. The boundary is the product.

03

The operator controls every dial.

Mounts, internet, root access, and provider backends are all off by default. Every capability loosening is explicit, operator-approved, and reflected in the Sentinel score.

Core Features

Nine layers of
default safety.

01

Sealed Linux VM Runtime

Each agent runs in a bounded Linux VM with a controlled workspace. The VM can be snapshotted, restored, or destroyed by the operator.

02

Non-Root Agent Execution

Agents run as unprivileged users. Root is not available unless explicitly granted by the operator.

03

No Ambient Internet Egress

All outbound traffic is blocked by default. Allowlists are operator-defined and logged.

04

Governed Model Proxy

All inference calls route through a governed proxy that logs requests, enforces policy, and keeps provider credentials outside the VM.

05

Bring Your Own Model Backend

Connect any OpenAI-compatible endpoint. Local, cloud, or self-hosted — your inference, your data.

06

Root-Owned Secrets / Masked Outputs

Secrets remain root-owned and unreadable. Narrow services use credentials and return masked outputs, so raw secrets never enter model context.

07

Snapshot Rollback

VM state is snapshotted before each agent run. One command restores to a known-good baseline.

08

Boot Protocol for Agent Orientation

A structured boot sequence orients the agent to its constraints before any task execution begins.

09

Sentinel Self-Audit Security Score

A 7-point security checklist runs on every boot. Score is visible to the operator in real time.

Safe by Default, Dangerous by Choice

Every loosening
is explicit.

Users can enable mounts, internet, root, or provider backends when they choose. Every loosening is explicit, logged, and scored.

OFF
Mounts
Host filesystem access
OFF
Internet
Outbound egress
OFF
Root
Privilege escalation
ON
Provider Backends
Operator-selected inference

default state · operator-controlled · logged and scored

Status

Active prototype
development.

Sentinel Score
self-audit security checklist · 7 criteria
7/7
Red-Team Result
frontier model adversarial testing · june 2026
NO ESCAPE
Successful VM Escapes
frontier-model red-team runs
0
Unauthorized Root Escalations
all test runs
0
Raw Secret Exposures
unmasked secrets in agent output · all test runs
0

The reference architecture has passed Sentinel 7/7 and survived frontier-model red-team testing.

Request Early Access

Join the list.

goblinforge.dev · prototype access · no spam