--- id: SAND-WP-0005 type: workplan title: "Extension SDK and ext.vm-packer" domain: infotech repo: sand-boxer status: finished owner: codex topic_slug: custodian created: "2026-06-23" updated: "2026-06-23" state_hub_workstream_id: "9e1f7eda-d1ea-4c2b-9141-2ee9afbf60de" --- # Extension SDK and ext.vm-packer Deliver INTENT near-term outcome #7 (extension SDK sketch) and begin `infra/build-machines/` migration via `ext.vm-packer` attach mode. **Predecessor:** SAND-WP-0004 (e2e shim — finished) **Follow-on:** SAND-WP-0006 (SaaS extensions + payments), SAND-WP-0007 (snapshots) ## Extension SDK ```task id: SAND-WP-0005-T01 status: done priority: high state_hub_task_id: "44b69d2c-52e6-43cc-8737-ae3bc8d92c36" ``` `SandboxExtension` base class (`src/sandboxer/extensions/base.py`), `docs/extension-sdk.md` author guide. `ComposeSSHExtension` refactored to subclass base. ## ext.vm-packer attach mode ```task id: SAND-WP-0005-T02 status: done priority: high state_hub_task_id: "259bae15-2c64-4f8f-910f-3e79f339945f" ``` `VMPackerExtension` — SSH attach to pre-built VM, workspace under `/build/sbx-/`, optional repo rsync, teardown removes workspace only. Registration: `extensions/ext.vm-packer.yaml`. ## profile.vm-haskell-build ```task id: SAND-WP-0005-T03 status: done priority: high state_hub_task_id: "ac26cb05-bf05-4fdb-bb6c-93d37cbfce73" ``` Profile + runbook for Haskell build VM (build-machines lineage). `docs/migration-build-machines.md` maps legacy workflows. ## SSH port support ```task id: SAND-WP-0005-T04 status: done priority: medium state_hub_task_id: "01e1008e-04c0-4319-988a-1f67765c4c70" ``` `SSHConfig.port` for reverse-tunnel ports (12222). Manager stores `vm_target` / `ssh_port` on destroy handle. ## Tests ```task id: SAND-WP-0005-T05 status: done priority: high state_hub_task_id: "55e4577d-bd9c-4437-8457-5e2751100ecc" ``` Unit tests: `test_vm_packer.py`, `test_extension_base.py`, `test_extension_registry.py`. ## Deferred ```task id: SAND-WP-0005-T06 status: wait priority: low state_hub_task_id: "d7d0e75b-d6f5-4b24-aa87-5b3e8b6dd5ad" ``` Packer build orchestration from `sandboxer create`; the-custodian `make remote-build` shim; port-registry automation.