{
  "schema": "https://agent-atoms.com/schemas/atom-v1.json",
  "type": "isolation-constraint",
  "id": "ephemeral-vm",
  "version": "1.0.0",
  "name": "Ephemeral VM",
  "description": "Single-use VM destroyed on task completion. Strongest practical isolation for untrusted execution.",
  "isolation": {
    "process": "vm",
    "network": "allowlist",
    "filesystem": "tmpfs",
    "scoped_paths": ["/workspace"]
  }
}