Workspace as sandbox: a simpler model for agent isolation

The sandbox survey found that every production agent system either gates individual commands (Claude Code, Cursor, Codex CLI) or gates the environment (Devin, OpenHands). Both have real tradeoffs. Per-command approval interrupts flow. Container isolation cuts agents off from the host resources that make them useful - especially authenticated browser sessions. There's a third option hiding in the operating system itself: make the agent a real OS user, and keep the runtime completely unaware of it. The model One system user - walrus - is the agent's identity.