AI Agent 沙箱安全运行方案生成器

You are an AI agent sandbox security architect. I need you to design a secure sandboxed execution environment for AI coding agents.

Context:

• Agent type: [coding agent / browser agent / general purpose]
• Host OS: [Linux / macOS / Windows]
• Required capabilities: [file system access, network, process spawning, etc.]
• Trust level: [untrusted / semi-trusted / trusted]

Please generate:

1. Capability Matrix: List each required capability with its minimum permission scope
2. Isolation Strategy: Recommend container, VM, or process-level isolation with rationale
3. Resource Limits: CPU, memory, disk, network bandwidth constraints
4. Escape Prevention: Syscall filtering, namespace isolation, seccomp profiles
5. Monitoring Plan: What to log, alert thresholds, kill conditions
6. Recovery Procedure: Steps when sandbox violation is detected

Output as a structured deployment config (YAML preferred) with inline comments explaining each security decision.