3.7 KiB
id, type, title, domain, repo, status, owner, topic_slug, created, updated, state_hub_workstream_id
| id | type | title | domain | repo | status | owner | topic_slug | created | updated | state_hub_workstream_id |
|---|---|---|---|---|---|---|---|---|---|---|
| SAND-WP-0011 | workplan | Reachability and consumer profiles | infotech | sand-boxer | ready | codex | custodian | 2026-06-24 | 2026-06-24 | 614a59b5-1b95-4e5d-9014-676c69a99b5f |
Reachability and consumer profiles
Formalize ops-bridge tunnel attachment in reachability descriptors and ship first-class profiles for glas-harness and snuggle-inventor consumers.
Gap analysis P6/P7: history/2026-06-24-post-wp0007-intent-scope-gap-analysis.md
Predecessor: SAND-WP-0010 (cloud adapters — proposed)
Follow-on: SAND-WP-0012 (Packer orchestration)
Note: Can proceed in parallel with SAND-WP-0010 where profiles are self-hosted.
Reachability descriptor enrichment
id: SAND-WP-0011-T01
status: todo
priority: high
state_hub_task_id: "ccf21aaf-9439-41e2-9ce3-becc08f734a7"
Extend Reachability model: optional tunnel (local port / alias), tunnel_via
(ops-bridge route id), identity (warden actor hint). Populate from profile
reachability spec + SANDBOXER_TUNNEL_* env on compose-ssh / vm-packer.
Document contract in docs/meta-framework.md; sand-boxer does not own tunnels.
ops-bridge integration helper
id: SAND-WP-0011-T02
status: todo
priority: medium
state_hub_task_id: "61d41e09-ca21-4fbe-9b56-98f0ffe356c6"
Optional sandboxer reachability show <id> (or enrich get output) surfacing
SSH one-liner and tunnel status pointer (ops-bridge MCP / CLI doc link). No
tunnel bring-up in sand-boxer — pointer only.
profile.agent-dev
id: SAND-WP-0011-T03
status: todo
priority: high
state_hub_task_id: "1a10a784-6a7c-4af6-9fbf-48d31e7e22cb"
Profile for glas-harness: longer TTL defaults, actor: agt examples, route
prefer-self-hosted. Extension ext.compose-ssh or vm-packer attach variant.
Update docs/integrations/glas-harness.md with real profile id.
profile.build (snuggle-inventor)
id: SAND-WP-0011-T04
status: todo
priority: high
state_hub_task_id: "a8142492-32c8-40d4-b882-b555858b44bb"
Build sandbox profile binding profile.vm-haskell-build or compose path;
setup.instructions placeholder; secret_refs list on profile (resolution v0:
validate refs exist via warden route, inject at provision boundary only).
Update docs/integrations/snuggle-inventor.md.
Secret boundary v0
id: SAND-WP-0011-T05
status: todo
priority: medium
state_hub_task_id: "df4053de-ec74-40a3-ae9b-422c1be973cd"
SetupSpec.secret_refs resolution in manager pre-provision hook: fetch via
operator-documented OpenBao path; pass to extension handle; never store on
SandboxStatus or emit to State Hub. Tests with mocked resolver.
Consumer smoke scripts
id: SAND-WP-0011-T06
status: todo
priority: medium
state_hub_task_id: "9d5feebe-16a2-4448-ad0c-3276858341d1"
scripts/smoke-agent-dev.sh, scripts/smoke-build-profile.sh (dry-run or
CoulombCore gated). Integration section in each consumer doc.
Tests and docs
id: SAND-WP-0011-T07
status: todo
priority: high
state_hub_task_id: "849e0701-fe8f-4c08-ac24-98cdf554c24b"
Model tests for reachability fields; profile loader tests; update SCOPE.md
profile catalog. make check green.
Out of scope
| Item | Track |
|---|---|
| glas-harness tool execution | glas-harness repo |
| snuggle code generation | snuggle-inventor repo |
| ops-bridge tunnel automation | ops-bridge repo |
Acceptance criteria
profile.agent-devandprofile.buildload and create via CLI- Reachability JSON includes tunnel metadata when profile declares ops-bridge
- secret_refs resolved at boundary; absent from agent-visible status payload
- Consumer integration docs reference real profile ids