sandbox-blueprint

What problem does it solve?

This Skill captures a production-proven architecture and workflows for provisioning, operating, and lifecycle-managing sandbox containers or VMs for Tangle Blueprints, removing the complexity of coordinating on-chain jobs with off-chain operator services. It standardizes secure session authentication, two-phase secret provisioning, sidecar integration and health handling, tiered garbage collection, and optional TEE backends so teams can build reproducible, auditable sandboxed compute environments.

Core Features & Use Cases

• Crate architecture and runtime patterns for separating stable runtime contracts, product-specific handlers, and binary entry points to enable reuse and safe deployments.
• On-chain vs operator API split to keep auditable state changes on-chain while handling reads, operational I/O, and secrets via an Axum-based operator API.
• Multi-phase provisioning and progress tracking with image pull, create/start, health checks, token generation, and persistence of SandboxRecord.
• Session auth and scoped tokens using EIP-191 challenge/response combined with PASETO v4.local for scoped sandbox sessions.
• Two-phase secret injection and TEE abstraction so secrets never appear in on-chain calldata and can be sealed to enclave backends.
• Reaper, tiered GC, and circuit breaker for robust lifecycle enforcement, snapshotting, and sidecar resiliency.
• Use case: implement a blueprint that provisions isolated agent sandboxes, exposes an operator API for runtime control and UI embedding, and enforces strict tenant isolation and lifecycle policies.

Quick Start

Create a sandbox blueprint that provisions a container, performs health checks, issues a scoped session token, and exposes an operator API for runtime operations.