Skip to main content
The sandbox is the execution boundary for session-attached resources and tool work. Its public contract is intentionally small: 
provision(resources)
execute(name, input)

Why this abstraction matters

The sandbox should be replaceable. Today it is local-only. Later it may be:
  • a remote container
  • a cloud worker
  • another isolated executor
If the rest of the runtime depends only on provision and execute, that swap stays tractable.

Current implementation

The current implementation is:
  • local
  • workspace-backed
  • resource-aware
That is enough for the current session-first runtime frontier.

Relationship to resources

The sandbox does not invent resources. It receives ResourceAttachment[] and provisions them. That keeps the boundary clear:
  • session owns the list of attached resources
  • environment defines the reusable execution substrate
  • sandbox turns those into an executable runtime context

Relationship to tools

The sandbox is not the tool registry. Tools define:
  • name
  • description
  • schema
  • ownership
  • permission policy
The sandbox only executes within the current environment boundary.

Current non-goals

The current sandbox layer does not yet try to be:
  • a cloud container runtime
  • a full network policy engine
  • a secret distribution system
  • a multi-tenant production isolation layer
Those are future concerns. The current goal is a durable, explicit local contract.