coulomb/sand-boxer
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: reachability and consumer profiles (SAND-WP-0011)

Browse Source 
Add reachability enrichment (tunnel metadata, ops-bridge pointer),
secret_refs boundary resolution, profile.agent-dev and profile.build,
CLI reachability show, API endpoint, consumer smoke scripts, and tests.
This commit is contained in:
Bernd Worsch
2026-06-24 12:54:27 +02:00
parent 7cabf77fb6
commit 1f87be4c6b
20 changed files with 522 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
workplans/SAND-WP-0011-reachability-and-consumer-profiles.md
View File

@@ -4,7 +4,7 @@ type: workplan
title: "Reachability and consumer profiles"
domain: infotech
repo: sand-boxer
status: ready
status: finished
owner: codex
topic_slug: custodian
created: "2026-06-24"
@@ -19,18 +19,16 @@ first-class profiles for glas-harness and snuggle-inventor consumers.
Gap analysis P6/P7: `history/2026-06-24-post-wp0007-intent-scope-gap-analysis.md`
**Predecessor:** SAND-WP-0010 (cloud adapters — proposed)
**Predecessor:** SAND-WP-0010 (cloud adapters)
**Follow-on:** SAND-WP-0012 (Packer orchestration)
Note: Can proceed in parallel with SAND-WP-0010 where profiles are self-hosted.
---
## Reachability descriptor enrichment
```task
id: SAND-WP-0011-T01
status: todo
status: done
priority: high
state_hub_task_id: "ccf21aaf-9439-41e2-9ce3-becc08f734a7"
```
@@ -44,77 +42,76 @@ Document contract in `docs/meta-framework.md`; sand-boxer does not own tunnels.
```task
id: SAND-WP-0011-T02
status: todo
status: done
priority: medium
state_hub_task_id: "61d41e09-ca21-4fbe-9b56-98f0ffe356c6"
```
Optional `sandboxer reachability show <id>` (or enrich `get` output) surfacing
SSH one-liner and tunnel status pointer (`ops-bridge` MCP / CLI doc link). No
tunnel bring-up in sand-boxer — pointer only.
`sandboxer reachability show <id>` and `GET /v1/sandboxes/{id}/reachability`
surfacing SSH one-liner and tunnel status pointer (`ops-bridge` MCP / CLI doc
link). No tunnel bring-up in sand-boxer — pointer only.
## profile.agent-dev
```task
id: SAND-WP-0011-T03
status: todo
status: done
priority: high
state_hub_task_id: "1a10a784-6a7c-4af6-9fbf-48d31e7e22cb"
```
Profile for glas-harness: longer TTL defaults, `actor: agt` examples, route
`prefer-self-hosted`. Extension `ext.compose-ssh` or vm-packer attach variant.
Update `docs/integrations/glas-harness.md` with real profile id.
`prefer-self-hosted`. Extension `ext.compose-ssh`. Updated
`docs/integrations/glas-harness.md` with real profile id.
## profile.build (snuggle-inventor)
```task
id: SAND-WP-0011-T04
status: todo
status: done
priority: high
state_hub_task_id: "a8142492-32c8-40d4-b882-b555858b44bb"
```
Build sandbox profile binding `profile.vm-haskell-build` or compose path;
`setup.instructions` placeholder; `secret_refs` list on profile (resolution v0:
validate refs exist via `warden route`, inject at provision boundary only).
Update `docs/integrations/snuggle-inventor.md`.
Build sandbox profile binding `ext.vm-packer`; `setup.instructions` placeholder;
`secret_refs` list on profile (resolution v0: env `SANDBOXER_SECRET_*`, inject at
provision boundary only). Updated `docs/integrations/snuggle-inventor.md`.
## Secret boundary v0
```task
id: SAND-WP-0011-T05
status: todo
status: done
priority: medium
state_hub_task_id: "df4053de-ec74-40a3-ae9b-422c1be973cd"
```
`SetupSpec.secret_refs` resolution in manager pre-provision hook: fetch via
operator-documented OpenBao path; pass to extension handle; never store on
`SetupSpec.secret_refs` resolution in manager pre-provision hook via
`SANDBOXER_SECRET_<REF>` env; pass to extension handle; never store on
`SandboxStatus` or emit to State Hub. Tests with mocked resolver.
## Consumer smoke scripts
```task
id: SAND-WP-0011-T06
status: todo
status: done
priority: medium
state_hub_task_id: "9d5feebe-16a2-4448-ad0c-3276858341d1"
```
`scripts/smoke-agent-dev.sh`, `scripts/smoke-build-profile.sh` (dry-run or
CoulombCore gated). Integration section in each consumer doc.
`scripts/smoke-agent-dev.sh`, `scripts/smoke-build-profile.sh` (CoulombCore
gated). Integration section in each consumer doc.
## Tests and docs
```task
id: SAND-WP-0011-T07
status: todo
status: done
priority: high
state_hub_task_id: "849e0701-fe8f-4c08-ac24-98cdf554c24b"
```
Model tests for reachability fields; profile loader tests; update `SCOPE.md`
Model tests for reachability fields; profile loader tests; updated `SCOPE.md`
profile catalog. `make check` green.
---