ZOZO123 · MISSION 001 2026

SANDBOXES • STATE • ONE SUBSTRATE

A VISION FOR THE AI ERA OF SOFTWARE

THE LIVING
LAYER

Software will not be deployed.
It will be projected from one governed, queryable, executable reality.
Sandboxes are the new unit of execution.
One database is the entire system.

EXECUTION ISOLATED BY DEFAULT

UI IS A VIEW. LOGIC IS A SANDBOX.

STATE IS THE ONLY SOURCE OF TRUTH

SCROLL TO ASCEND

01 / THE PAST

The Fragmented Stack

For fifty years we built by stacking independent lies.

A frontend repository. A backend repository. A database. An auth service. A deployment pipeline. A logging system. A separate world for each agent that needed to act.

Each layer had its own model of reality. They drifted. They fought. Every integration was a new source of failure and security surface.

When the primary author of code is no longer a human you can interview, the entire stack becomes a liability.

The dominant reader of data is also no longer a human with a dashboard. It is fleets of agents that must act with perfect context, perfect safety, and perfect auditability.

02 / THE PRIMITIVES

Two New Fundamentals

Everything else collapses into these.

PRIMITIVE ONE

The Sandbox

A disposable, observable, killable computer that an agent can safely inhabit.

Docker made code portable. Sandboxes make code safe to run when the author is a model generating faster than any human can review.

Ephemeral by default. Complete enough to ship real work.
Network, filesystem, secrets — all explicitly scoped and logged.
Every action is an execution trace that can be replayed or forked.
Isolation tiers from process namespaces to microVMs (gVisor, Firecracker, etc.).

PRIMITIVE TWO

The Substrate

One living database that holds data, UI, logic, policy, and history.

Not “the database for the app”. The database is the app. Schema, components, agent contracts, sandbox blueprints, permissions, and full causal history are all first-class queryable facts.

UI definitions live as rows. Rendering is projection + safe execution.
Business logic runs as governed functions or agents inside attached sandboxes.
Every change is versioned, attributable, and forkable.
Agents no longer call brittle external APIs. They query and write to the single source of truth.

THE ISOLATION LADDER

TIER

ISOLATION

PRIMARY USE

Same process / namespace

Trusted local tools

Container (Docker / Podman)

Most dev & CI today

gVisor / user-space kernel

AI agent code execution

MicroVM (Firecracker, Cloud Hypervisor)

Untrusted multi-tenant agents

Full VM or dedicated machine

Highest blast-radius workloads

Generation got cheap. Safe execution is the new bottleneck.

03 / THE COLLAPSE

One Layer to Rule Them All

The frontend repository disappears. The backend repository disappears. The “app” is now three things:

1. A schema + policy definition in the substrate.
2. A set of sandbox templates and agent contracts attached to that schema.
3. Projections (views) that agents or humans can safely render and mutate.

When you want new behavior, you do not ship a new binary. You evolve the schema, adjust the sandbox scopes, and let agents operating inside governed execution environments materialize the new reality.

“Deploy” becomes a historical curiosity. What remains is instantiation — spawning a sandbox with a view over a slice of the living layer.

04 / THE LAW

Principles of the Living Layer

Every mutation that can affect the world must occur inside an explicitly scoped sandbox or be rejected.

The schema is the application. UI, workflows, and permissions are derived data.

There is only one source of truth. All other stores are materialized views or caches that can be invalidated.

Execution history is first-class data. Every agent action is queryable, attributable, and replayable.

Forking reality is a primitive operation. Clone a slice of state + sandbox lineage into a new branch.

Agents are not users of the system. They are projections of the system that can safely act.

Security is not a perimeter. It is the shape of every sandbox and every permission row in the layer.

Latency and consistency are negotiated at the projection layer, not by gluing services together.

The human role shifts from writing glue code to designing schemas, policies, and sandbox contracts.

The layer must be observable by default. If you cannot query why something happened, it did not happen safely.

05 / THE FUTURE

The World That Follows

These are not predictions. They are the logical destination of the primitives already emerging.

2027 — 2028

Personal Living Layers

Every knowledge worker has a personal substrate. Their notes, emails, agents, tools, and history are one queryable, sandboxed reality. “Apps” are just different projections granted different execution scopes.

2028 — 2030

The End of the Company App

Organizations run dozens of governed living layers instead of hundreds of SaaS products. New “software” arrives as a schema patch + sandbox policy bundle. Integration is a permission grant, not an API key dance.

2030 — 2035

Software as Reality Forks

Most economic activity is the careful forking, merging, and governance of shared layers. The companies that win are the ones with the best schemas and the tightest, safest sandbox contracts — not the prettiest UIs.

DECIDE

What tier does your idea require?

Quick isolation & substrate estimator

Who is writing the code that will run? Blast radius if something goes wrong? State model complexity?

This is not a product recommendation. It is a thinking tool. The right answer is almost always higher isolation + richer substrate than you first assume.

THE WORK

Already Under Construction

The following artifacts are real, public, and already pushing pieces of this future into existence. They are not vapor.

The Sandbox Shift →

Vendor-neutral field guide. Why containers are no longer enough. Interactive decider. Isolation ladder.

Databases in the Age of AI →

Full graduate course + two essays. What fifty years of database systems must become when agents are the primary readers and writers.

Crabbox →

Warm a box. Sync the diff. Run the suite. Real remote sandboxes for agentic development and evaluation loops.

Conductor →

Event-driven, durable agentic workflow engine. The execution backbone for long-running agents that must survive and resume.

Harbor →

Framework for agent evaluations and RL environments. Turning repos into measurable, sandboxed training grounds.

DeepAgents →

The batteries-included agent harness. Production patterns for agents that do real, stateful, auditable work.

Odysseus →

Self-hosted AI workspace. Your own layer, running anywhere.

Agentic Airbyte →

Agents orchestrating Crabbox sandboxes as reliable ETL workers. The data movement substrate for the living layer.

ALL PUBLIC REPOS ON GITHUB →

This is not a pitch deck. It is a falsifiable description of the direction the best builders are already being forced to take by the physics of AI-generated code and agent-native workloads.

The question is no longer whether we will have sandboxes and unified substrates.
It is who will design the cleanest, safest, most powerful versions first.

YOSSI ELIAZ — ZOZO123 — 2026