Secure agents with dedicated microVMs using hypervisor-based isolation. Only project workspaces are mounted, protecting the host while allowing nested Docker and system package installation. Workflows run unattended, and sandboxes can be instantly reset if issues arise
