Very interesting use of Firecracker for agent isolation.

How do you handle network identity for the agents themselves? Are you using something like mTLS/SPIFFE to identify the workload inside the VM, or is it purely network-policy based at the host level? Can you explain the "runtime enforcement" and the "enforcing tool proxy?