tegwick
1f87be4c6b
Add reachability enrichment (tunnel metadata, ops-bridge pointer), secret_refs boundary resolution, profile.agent-dev and profile.build, CLI reachability show, API endpoint, consumer smoke scripts, and tests.
3.5 KiB
id, type, title, domain, repo, status, owner, topic_slug, created, updated, state_hub_workstream_id
| id | type | title | domain | repo | status | owner | topic_slug | created | updated | state_hub_workstream_id |
|---|---|---|---|---|---|---|---|---|---|---|
| SAND-WP-0011 | workplan | Reachability and consumer profiles | infotech | sand-boxer | finished | codex | custodian | 2026-06-24 | 2026-06-24 | 614a59b5-1b95-4e5d-9014-676c69a99b5f |
Reachability and consumer profiles
Formalize ops-bridge tunnel attachment in reachability descriptors and ship first-class profiles for glas-harness and snuggle-inventor consumers.
Gap analysis P6/P7: history/2026-06-24-post-wp0007-intent-scope-gap-analysis.md
Predecessor: SAND-WP-0010 (cloud adapters)
Follow-on: SAND-WP-0012 (Packer orchestration)
Reachability descriptor enrichment
id: SAND-WP-0011-T01
status: done
priority: high
state_hub_task_id: "ccf21aaf-9439-41e2-9ce3-becc08f734a7"
Extend Reachability model: optional tunnel (local port / alias), tunnel_via
(ops-bridge route id), identity (warden actor hint). Populate from profile
reachability spec + SANDBOXER_TUNNEL_* env on compose-ssh / vm-packer.
Document contract in docs/meta-framework.md; sand-boxer does not own tunnels.
ops-bridge integration helper
id: SAND-WP-0011-T02
status: done
priority: medium
state_hub_task_id: "61d41e09-ca21-4fbe-9b56-98f0ffe356c6"
sandboxer reachability show <id> and GET /v1/sandboxes/{id}/reachability
surfacing SSH one-liner and tunnel status pointer (ops-bridge MCP / CLI doc
link). No tunnel bring-up in sand-boxer — pointer only.
profile.agent-dev
id: SAND-WP-0011-T03
status: done
priority: high
state_hub_task_id: "1a10a784-6a7c-4af6-9fbf-48d31e7e22cb"
Profile for glas-harness: longer TTL defaults, actor: agt examples, route
prefer-self-hosted. Extension ext.compose-ssh. Updated
docs/integrations/glas-harness.md with real profile id.
profile.build (snuggle-inventor)
id: SAND-WP-0011-T04
status: done
priority: high
state_hub_task_id: "a8142492-32c8-40d4-b882-b555858b44bb"
Build sandbox profile binding ext.vm-packer; setup.instructions placeholder;
secret_refs list on profile (resolution v0: env SANDBOXER_SECRET_*, inject at
provision boundary only). Updated docs/integrations/snuggle-inventor.md.
Secret boundary v0
id: SAND-WP-0011-T05
status: done
priority: medium
state_hub_task_id: "df4053de-ec74-40a3-ae9b-422c1be973cd"
SetupSpec.secret_refs resolution in manager pre-provision hook via
SANDBOXER_SECRET_<REF> env; pass to extension handle; never store on
SandboxStatus or emit to State Hub. Tests with mocked resolver.
Consumer smoke scripts
id: SAND-WP-0011-T06
status: done
priority: medium
state_hub_task_id: "9d5feebe-16a2-4448-ad0c-3276858341d1"
scripts/smoke-agent-dev.sh, scripts/smoke-build-profile.sh (CoulombCore
gated). Integration section in each consumer doc.
Tests and docs
id: SAND-WP-0011-T07
status: done
priority: high
state_hub_task_id: "849e0701-fe8f-4c08-ac24-98cdf554c24b"
Model tests for reachability fields; profile loader tests; updated SCOPE.md
profile catalog. make check green.
Out of scope
| Item | Track |
|---|---|
| glas-harness tool execution | glas-harness repo |
| snuggle code generation | snuggle-inventor repo |
| ops-bridge tunnel automation | ops-bridge repo |
Acceptance criteria
profile.agent-devandprofile.buildload and create via CLI- Reachability JSON includes tunnel metadata when profile declares ops-bridge
- secret_refs resolved at boundary; absent from agent-visible status payload
- Consumer integration docs reference real profile ids