For shared or team-facing heypi bots, the sandbox runtime is an explicit choice -- host runtimes ship with only a warning

What this changes for operators

• The default just-bash runtime is an in-process interpreter with a virtual filesystem and network off by default; Docker and Gondolin (a warm QEMU VM per scope) are opt-in isolation. The host runtimes (host-bash, guarded-bash) run against the real machine and emit only a startup warning: For shared or team-facing bots, prefer just-bash, Docker, or Gondolin.
• Choose the runtime before exposing a bot to a channel: a warning is not a boundary. For anything multiplayer, select an isolating runtime explicitly rather than relying on the default or accepting a host runtime past its warning.