[mcnamtm1]

Very interesting use of Firecracker for agent isolation.

How do you handle network identity for the agents themselves? Are you using something like mTLS/SPIFFE to identify the workload inside the VM, or is it purely network-policy based at the host level? Can you explain the "runtime enforcement" and the "enforcing tool proxy?

[difc]

Thanks! Currently network identity is host-based, but in the middle of introducing SPIFFE based on ZTunnel. Should be done in the next couple of days.

Runtime enforcement means that any side effects are routed through a proxy (nucleus-tool-proxy) that does realtime checks on permissions and gates the behavior.

SPIFFE for MicroVM agents is a compelling idea and I'll update when this is ready.