Refactor sandbox providers to SPI with capability-driven routing#77
Draft
geminixiang wants to merge 5 commits into
Draft
Refactor sandbox providers to SPI with capability-driven routing#77geminixiang wants to merge 5 commits into
geminixiang wants to merge 5 commits into
Conversation
Implements Phase 1 of docs/rfc-sandbox-provider.md: - Add SandboxProvider/SandboxInstance SPI with declared capabilities (lifecycle, credential scope, env injection, file mounts) so the control plane never switches on sandbox types. - Move all five builtin backends into src/sandbox/providers/; the Docker provisioner becomes a private detail of the docker providers. - Model image:* as a managed provider: per-conversation container naming, provisioning, and the ensureReady wiring live in providers/docker/image.ts instead of the execution resolver. Managed instances expose suspend()/destroy(). - Derive vault keys / scope keys from provider capabilities via resolveActorScopeKey(); delete vault/routing.ts and the cloudflare special-case in FileVaultManager.getSandboxConfig() (the provider derives per-scope sandbox ids at acquire time). The vault layer no longer imports anything from the sandbox layer. - Add registerSandboxProvider() so third-party backends (E2B, gondolin, Docker Sandboxes) can plug in without touching the control plane. - CLI sandbox strings, vault directories, container naming, and wire behaviour are unchanged; existing tests pass as-is plus new SPI coverage for capabilities, scope routing, and acquire semantics. https://claude.ai/code/session_01PhGdhDZviXgebWYTXJ89PF
…, fs push Implements Phase 2 of docs/rfc-sandbox-provider.md: - Docker exec no longer writes vault env to a host tmpdir env file. Secrets ride the docker CLI's own process environment and are forwarded with bare '-e KEY' flags, so they never touch disk or the command line and cannot leak through crash residue. Env var names are validated before use. - The cloudflare provider pushes vault env to the bridge once per instance via a new POST /env (setEnvVars) instead of resending the full secret set in every /exec payload. Legacy bridges without /env are detected (404/405) and fall back to per-exec injection. - New SandboxFs surface on SandboxInstance plus a filePush capability: vault file credentials are now projected into cloudflare sandboxes through bridge /mkdir + /write-file (written 0600), closing the 'cloudflare has no vault files' gap without bind mounts. - All injection now flows through a single audited chokepoint (src/sandbox/secret-injection.ts) that logs key names, modes, and file counts — never values — per scope. - Bridge example worker gains /env, /mkdir, /write-file endpoints; docs updated accordingly. https://claude.ai/code/session_01PhGdhDZviXgebWYTXJ89PF
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Decouples sandbox implementations from the control plane by introducing a provider SPI (
SandboxProvider) with declared capabilities. The control plane now routes based on capabilities (lifecycle, credential scope, env injection, file mounts) rather than type-switching. Moves Docker provisioning into the sandbox layer, eliminates vault-sandbox coupling, and implements secure secret injection with a single audit chokepoint.Key Changes
Architecture
src/sandbox/spi.tsdefinesSandboxProvider,SandboxInstance,SandboxCapabilities, andAcquireContext. Providers declare how they handle lifecycle, credentials, env injection, and file operations.src/sandbox/registry.tsreplaces adapter pattern with a factory-based registry. Third-party providers can register viaregisterSandboxProvider().ActorExecutionResolvernow consults provider capabilities instead of type-switching. Vault routing moved fromvault/routing.tsintoresolveActorScopeKey()in the sandbox layer.Providers
src/sandbox/providers/:host.ts,docker/container.ts,docker/image.ts,firecracker.ts,cloudflare.tsDockerContainerManager) moved tosrc/sandbox/providers/docker/provisioner.tsparse(),validate(),getPathContext(), andacquire().Secret Injection
/envendpoint;/execno longer carries secrets. Falls back to per-exec injection for legacy bridges.docker exec -e KEY(reads from parent process env) instead of tmpdir env files. Validates environment variable names.SandboxFsAPI (mkdir,writeFile) for pushing vault files. Cloudflare bridge implements/mkdirand/write-fileendpoints.auditSecretInjection()insrc/sandbox/secret-injection.tslogs key names and counts (never values) for all injection paths.Removed Coupling
getPathContext().image:config no longer requires special handling inexecution-resolver.ts; image provider handles template→instance conversion.Testing
resolveActorScopeKey()API.Notes for Reviewers
/envsupport and falls back to per-exec injection for older bridges.https://claude.ai/code/session_01PhGdhDZviXgebWYTXJ89PF