Three-level sandbox model across all agents
Every supported agent — Claude, Codex, Gemini, OpenCode, Pi — can now run at three discrete sandbox levels: paranoid, normal, and permissive. Plus ephemeral scratch homes for paranoid runs, an install-time multi-select to pick which variants you want, and a documented trust model with an OAuth bypass recipe.
→ Three sandbox levels per agent
paranoid locks the agent into a minimal, read-mostly environment with no credential access by default. normal is the recommended day-to-day profile. permissive drops the most rules for trusted tasks that need broad host access. Each agent ships with all three variants pre-wired (#57, LINCE-99 / 100 / 101 / 102).
→ Ephemeral scratch_home_dirs for paranoid
Paranoid runs now get a per-run scratch $HOME that is created fresh and discarded when the agent exits — nothing the agent writes leaks across invocations, and it can't read state from a previous run (LINCE-100 / 101 / 102 / 103).
→ Install-time multi-select for sandbox levels
The quickstart TUI now lets you pick which sandbox levels to install per agent, instead of forcing all three. Variants ship in a separate agents-template.toml so you can opt in to the ones you actually want (LINCE-104).
→ Trust model + OAuth bypass recipe
New documentation covers the trust model behind the three levels, an agent-aware error when paranoid is selected without credential rules, and a recipe for handling agents that need a one-time OAuth login despite running paranoid afterwards.