feat: cloud adapters E2B/Modal and billing export (SAND-WP-0010)

Add credentialed E2B and Modal extensions, burst routing fallback, fin-hub meter export hook, BYOK docs, and 77 tests.
2026-06-24 12:50:19 +02:00
parent 6d0a1a8b1e
commit 15f031fd65
26 changed files with 859 additions and 75 deletions
--- a/docs/payments.md
+++ b/docs/payments.md
@@ -36,10 +36,17 @@ Reference: `ext.saas-stub` (no external API).

 ## BYOK

-Provider API keys are resolved at provision boundary via `secret_refs` / OpenBao —
-not implemented in v0 stub. Set provider env vars per extension when adapters land.
+Provider API keys resolve at provision boundary — never stored on `SandboxStatus`
+or emitted to State Hub.
+
+1. Operator lookup: `warden route find "<provider> API key" --json`
+2. Inject env before `sandboxer create` (e.g. `E2B_API_KEY`, `MODAL_TOKEN_ID`)
+3. Or map `secret_ref` from extension config to `SANDBOXER_SECRET_<REF>` env
+
+See `docs/cloud-adapters.md`.

 ## Billing export

-sand-boxer meters sandbox consumption only. Domain billing authority (fin-hub) is a
-future export consumer of State Hub meter events — not owned here.
+On metered destroy, optional fin-hub hook when `SANDBOXER_FIN_HUB_URL` is set.
+Posts `sandbox_id`, `extension_id`, `duration_s`, `actual_usd` to `/usage/sandbox`.
+Implementation: `src/sandboxer/payments/billing_export.py`.