sand-boxer/docs/cloud-adapters.md at main

Files

tegwick 15f031fd65 feat: cloud adapters E2B/Modal and billing export (SAND-WP-0010)

Add credentialed E2B and Modal extensions, burst routing fallback,
fin-hub meter export hook, BYOK docs, and 77 tests.

2026-06-24 12:50:19 +02:00

1.5 KiB

Raw Permalink Blame History

Metered SaaS sandbox backends — SAND-WP-0010.

Extensions

Extension	Profile	Provider API
`ext.e2b`	`profile.e2b-burst`	`https://api.e2b.dev`
`ext.modal`	`profile.modal-gpu`	`https://api.modal.com`
`ext.saas-stub`	`profile.saas-stub`	None (local stub)

profile.burst-sandbox routes: compose-ssh → E2B → Modal → saas-stub.

BYOK credentials

Resolve keys at provision boundary only — never in Git, workplans, or State Hub.

warden route find "E2B API key" --json
warden route find "Modal token" --json

Extension	Primary env	secret_ref env fallback
`ext.e2b`	`E2B_API_KEY`	`SANDBOXER_SECRET_E2B_API_KEY`
`ext.modal`	`MODAL_TOKEN_ID`	`SANDBOXER_SECRET_MODAL_TOKEN_ID`

OpenBao custody via railiance-platform; sand-boxer reads env injected by operator.

Usage

export E2B_API_KEY=...   # operator-injected, not in repo

sandboxer create --profile profile.e2b-burst
sandboxer create --profile profile.burst-sandbox   # SaaS when self-hosted unavailable
sandboxer destroy <id>

fin-hub export

On metered destroy, optional POST to SANDBOXER_FIN_HUB_URL/usage/sandbox. Disabled by default. Set SANDBOXER_NO_FIN_HUB=1 to suppress.

CI

Unit tests mock HTTP — no live provider calls in make check.

Operator smoke (credentials required):

./scripts/smoke-cloud-adapter.sh e2b

1.5 KiB Raw Permalink Blame History

Cloud adapters (E2B, Modal)

Extensions

BYOK credentials

Usage

fin-hub export

CI

1.5 KiB

Raw Permalink Blame History