# sand-boxer integration

wise-validator **consumes** sand-boxer for isolated execution environments.
sand-boxer is self-sustained and does not depend on wise-validator.

## Provision

```bash
# Invoked internally by `validate run`; equivalent manual call:
sandboxer create \
  --profile profile.compose-e2e \
  --input repo=/path/to/repo \
  --actor atm \
  --project wise-validator \
  --host "${SANDBOXER_HOST:-coulombcore}"
```

Environment variables:

| Variable | Purpose |
|----------|---------|
| `SANDBOXER_HOST` | Default sandbox host |
| `SANDBOXER_SSH_USER` | SSH user when not in reachability |
| `SANDBOXER_SSH_KEY` | SSH private key path |
| `SANDBOXER_COMPOSE_CMD` | `podman-compose` on CoulombCore |
| `SANDBOXER_BIN` | Override `sandboxer` binary path |

## wise-validator steps after `ready`

1. Poll `health_checks` from repo `e2e/e2e.yml` via SSH `curl` on remote host
2. Run `test_command` in `reachability.remote_dir`
3. `destroy` per `cleanup` policy (`always` / `on_success` / `never`, or `--keep`)

## Ownership

| Concern | Owner |
|---------|-------|
| rsync + compose up + reachability | sand-boxer |
| `e2e/e2e.yml` parsing | wise-validator |
| HTTP health polling | wise-validator |
| Test command + pass/fail | wise-validator |
| State Hub `e2e_result` events | wise-validator |
| Sandbox lifecycle events | sand-boxer |

Canon in sand-boxer: `sand-boxer/docs/integrations/wise-validator.md`