--- id: SAND-WP-0011 type: workplan title: "Reachability and consumer profiles" domain: infotech repo: sand-boxer status: finished owner: codex topic_slug: custodian created: "2026-06-24" updated: "2026-06-24" state_hub_workstream_id: "614a59b5-1b95-4e5d-9014-676c69a99b5f" --- # Reachability and consumer profiles Formalize ops-bridge tunnel attachment in reachability descriptors and ship first-class profiles for glas-harness and snuggle-inventor consumers. Gap analysis P6/P7: `history/2026-06-24-post-wp0007-intent-scope-gap-analysis.md` **Predecessor:** SAND-WP-0010 (cloud adapters) **Follow-on:** SAND-WP-0012 (Packer orchestration) --- ## Reachability descriptor enrichment ```task id: SAND-WP-0011-T01 status: done priority: high state_hub_task_id: "ccf21aaf-9439-41e2-9ce3-becc08f734a7" ``` Extend `Reachability` model: optional `tunnel` (local port / alias), `tunnel_via` (ops-bridge route id), `identity` (warden actor hint). Populate from profile `reachability` spec + `SANDBOXER_TUNNEL_*` env on compose-ssh / vm-packer. Document contract in `docs/meta-framework.md`; sand-boxer does not own tunnels. ## ops-bridge integration helper ```task id: SAND-WP-0011-T02 status: done priority: medium state_hub_task_id: "61d41e09-ca21-4fbe-9b56-98f0ffe356c6" ``` `sandboxer reachability show ` and `GET /v1/sandboxes/{id}/reachability` surfacing SSH one-liner and tunnel status pointer (`ops-bridge` MCP / CLI doc link). No tunnel bring-up in sand-boxer — pointer only. ## profile.agent-dev ```task id: SAND-WP-0011-T03 status: done priority: high state_hub_task_id: "1a10a784-6a7c-4af6-9fbf-48d31e7e22cb" ``` Profile for glas-harness: longer TTL defaults, `actor: agt` examples, route `prefer-self-hosted`. Extension `ext.compose-ssh`. Updated `docs/integrations/glas-harness.md` with real profile id. ## profile.build (snuggle-inventor) ```task id: SAND-WP-0011-T04 status: done priority: high state_hub_task_id: "a8142492-32c8-40d4-b882-b555858b44bb" ``` Build sandbox profile binding `ext.vm-packer`; `setup.instructions` placeholder; `secret_refs` list on profile (resolution v0: env `SANDBOXER_SECRET_*`, inject at provision boundary only). Updated `docs/integrations/snuggle-inventor.md`. ## Secret boundary v0 ```task id: SAND-WP-0011-T05 status: done priority: medium state_hub_task_id: "df4053de-ec74-40a3-ae9b-422c1be973cd" ``` `SetupSpec.secret_refs` resolution in manager pre-provision hook via `SANDBOXER_SECRET_` env; pass to extension handle; never store on `SandboxStatus` or emit to State Hub. Tests with mocked resolver. ## Consumer smoke scripts ```task id: SAND-WP-0011-T06 status: done priority: medium state_hub_task_id: "9d5feebe-16a2-4448-ad0c-3276858341d1" ``` `scripts/smoke-agent-dev.sh`, `scripts/smoke-build-profile.sh` (CoulombCore gated). Integration section in each consumer doc. ## Tests and docs ```task id: SAND-WP-0011-T07 status: done priority: high state_hub_task_id: "849e0701-fe8f-4c08-ac24-98cdf554c24b" ``` Model tests for reachability fields; profile loader tests; updated `SCOPE.md` profile catalog. `make check` green. --- ## Out of scope | Item | Track | |------|-------| | glas-harness tool execution | glas-harness repo | | snuggle code generation | snuggle-inventor repo | | ops-bridge tunnel automation | ops-bridge repo | --- ## Acceptance criteria - `profile.agent-dev` and `profile.build` load and create via CLI - Reachability JSON includes tunnel metadata when profile declares ops-bridge - secret_refs resolved at boundary; absent from agent-visible status payload - Consumer integration docs reference real profile ids