feat(sandbox): code-execution sandbox + runnable artifacts

.commitlintrc.json

@@ -17,6 +17,7 @@
         "pii",
         "proxy",
         "rag",
+        "sandbox",
         "storybook",
         "ui",
         "web",

.env.test

@@ -44,3 +44,7 @@ POSTGRES_PASSWORD=test_password_e2e
 # Convex
 INSTANCE_SECRET=0000000000000000000000000000000000000000000000000000000000000000
 INSTANCE_NAME=tale_platform
+
+# Sandbox spawner — fixed test-only HMAC token so the smoke script can sign
+# /v1/execute. Production deploys auto-mint via the CLI's ensure-env helper.
+SANDBOX_TOKEN=test-sandbox-token-do-not-use-in-production-deadbeefcafef00d

.github/workflows/build.yml

@@ -106,6 +106,12 @@ jobs:
               - 'services/platform/**'
               - 'packages/ui/**'
               - 'packages/webui/**'
+            sandbox:
+              - 'services/sandbox/**'
+            sandbox-egress:
+              - 'services/sandbox-egress/**'
+            sandbox-runtime:
+              - 'services/sandbox-runtime/**'
             ci_tests:
               - 'tests/container-*'
               - 'compose.test.yml'
@@ -118,6 +124,9 @@ jobs:
               - 'services/rag/**'
               - 'services/platform/**'
               - 'services/proxy/**'
+              - 'services/sandbox/**'
+              - 'services/sandbox-egress/**'
+              - 'services/sandbox-runtime/**'
 
       - name: Compute service matrix
         id: services
@@ -127,10 +136,11 @@ jobs:
           echo "list=${SERVICES}" >> "$GITHUB_OUTPUT"
           echo "Services to build: ${SERVICES}"
 
-          # Vulnerability scan only covers the six compose-stack services that
-          # `build` actually pushes to GHCR. Web and docs use their own compose
-          # stacks and are reachable via security.yml's filesystem scan.
-          SCANNABLE=$(echo "${SERVICES}" | jq -c '[.[] | select(. == "db" or . == "convex" or . == "crawler" or . == "rag" or . == "platform" or . == "proxy")]')
+          # Vulnerability scan covers the compose-stack services + sandbox
+          # trio that `build` actually pushes to GHCR. Web and docs use their
+          # own compose stacks and are reachable via security.yml's
+          # filesystem scan.
+          SCANNABLE=$(echo "${SERVICES}" | jq -c '[.[] | select(. == "db" or . == "convex" or . == "crawler" or . == "rag" or . == "platform" or . == "proxy" or . == "sandbox" or . == "sandbox-egress" or . == "sandbox-runtime")]')
           echo "scannable=${SCANNABLE}" >> "$GITHUB_OUTPUT"
           echo "Services to scan: ${SCANNABLE}"
 
@@ -180,14 +190,25 @@ jobs:
       matrix:
         # Compose-stack services. Keep in sync with build.yml (smoke/validate
         # pull loops) and cleanup-pr-images.yml matrix.
-        service: [db, convex, crawler, rag, platform, proxy]
+        service:
+          [
+            db,
+            convex,
+            crawler,
+            rag,
+            platform,
+            proxy,
+            sandbox,
+            sandbox-egress,
+            sandbox-runtime,
+          ]
 
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Reclaim disk space
-        if: matrix.service == 'platform' || matrix.service == 'rag' || matrix.service == 'crawler' || matrix.service == 'convex'
+        if: matrix.service == 'platform' || matrix.service == 'rag' || matrix.service == 'crawler' || matrix.service == 'convex' || matrix.service == 'sandbox-runtime'
         run: |
           sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc /opt/hostedtoolcache/CodeQL
           sudo docker image prune -af
@@ -316,16 +337,22 @@ jobs:
       # `docker compose build` step.
       - name: Pull images from GHCR
         run: |
-          # Compose-stack services. Keep in sync with build.yml (build matrix)
-          # and cleanup-pr-images.yml matrix.
+          # Compose-stack services + sandbox-runtime. Keep in sync with build.yml
+          # (build matrix) and cleanup-pr-images.yml matrix. sandbox-runtime is
+          # not a compose service but the spawner pulls it at boot — re-tag it
+          # locally so smoke tests with PULL_POLICY=never find it.
           TAG="${{ needs.changes.outputs.image_tag }}"
           REGISTRY_PATH="${{ env.REGISTRY }}/${{ github.repository }}"
-          for svc in db convex crawler rag platform proxy; do
+          for svc in db convex crawler rag platform proxy sandbox sandbox-egress sandbox-runtime; do
             IMAGE="${REGISTRY_PATH}/tale-${svc}:${TAG}"
             echo "Pulling ${IMAGE}..."
             docker pull "${IMAGE}"
             docker tag "${IMAGE}" "ghcr.io/tale-project/tale/tale-${svc}:latest"
           done
+          # See note in image-validate: the spawner's SANDBOX_RUNTIME_IMAGE
+          # defaults to the unscoped `tale-sandbox-runtime:latest`.
+          docker tag "ghcr.io/tale-project/tale/tale-sandbox-runtime:latest" \
+            "tale-sandbox-runtime:latest"
 
       - name: Run smoke tests
         run: bash tests/container-smoke-test.sh
@@ -511,16 +538,24 @@ jobs:
 
       - name: Pull images from GHCR
         run: |
-          # Compose-stack services. Keep in sync with build.yml (build matrix)
-          # and cleanup-pr-images.yml matrix.
+          # Compose-stack services + sandbox-runtime. Keep in sync with build.yml
+          # (build matrix) and cleanup-pr-images.yml matrix. sandbox-runtime is
+          # not a compose service but the spawner pulls it at boot — re-tag it
+          # locally so PULL_POLICY=never validation finds it.
           TAG="${{ needs.changes.outputs.image_tag }}"
           REGISTRY_PATH="${{ env.REGISTRY }}/${{ github.repository }}"
-          for svc in db convex crawler rag platform proxy; do
+          for svc in db convex crawler rag platform proxy sandbox sandbox-egress sandbox-runtime; do
             IMAGE="${REGISTRY_PATH}/tale-${svc}:${TAG}"
             echo "Pulling ${IMAGE}..."
             docker pull "${IMAGE}"
             docker tag "${IMAGE}" "ghcr.io/tale-project/tale/tale-${svc}:latest"
           done
+          # The spawner reads SANDBOX_RUNTIME_IMAGE which defaults to
+          # `tale-sandbox-runtime:latest` (unscoped). Mirror the tag so the
+          # spawner's boot-time `ensureImage` hits a local cache instead of
+          # trying to pull from GHCR.
+          docker tag "ghcr.io/tale-project/tale/tale-sandbox-runtime:latest" \
+            "tale-sandbox-runtime:latest"
 
       - name: Run image validation
         run: bash tests/container-image-test.sh
@@ -605,6 +640,7 @@ jobs:
           format: 'sarif'
           output: '${{ matrix.service }}-trivy.sarif'
           severity: 'HIGH,CRITICAL'
+          trivyignores: '.trivyignore.yaml'
 
       - name: Upload SARIF
         uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3

.github/workflows/cleanup-pr-images.yml

@@ -28,7 +28,18 @@ jobs:
       matrix:
         # Compose-stack services. Keep in sync with build.yml (build matrix +
         # smoke/validate pull loops).
-        service: [db, convex, crawler, rag, platform, proxy]
+        service:
+          [
+            db,
+            convex,
+            crawler,
+            rag,
+            platform,
+            proxy,
+            sandbox,
+            sandbox-egress,
+            sandbox-runtime,
+          ]
 
     steps:
       - name: Delete PR-tagged versions

.github/workflows/release.yml

@@ -77,6 +77,9 @@ jobs:
           - { name: convex }
           - { name: web }
           - { name: docs }
+          - { name: sandbox }
+          - { name: sandbox-egress }
+          - { name: sandbox-runtime }
         arch:
           - { name: amd64, runner: ubuntu-latest, platform: linux/amd64 }
           - { name: arm64, runner: ubuntu-24.04-arm, platform: linux/arm64 }
@@ -86,7 +89,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Reclaim disk space
-        if: matrix.service.name == 'platform' || matrix.service.name == 'rag' || matrix.service.name == 'crawler' || matrix.service.name == 'convex'
+        if: matrix.service.name == 'platform' || matrix.service.name == 'rag' || matrix.service.name == 'crawler' || matrix.service.name == 'convex' || matrix.service.name == 'sandbox-runtime'
         run: |
           sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc /opt/hostedtoolcache/CodeQL
           sudo docker image prune -af
@@ -156,7 +159,7 @@ jobs:
         run: |
           VERSION="${{ needs.prepare.outputs.version_number }}"
           ARCH="amd64"
-          for svc in platform rag crawler db proxy convex web docs; do
+          for svc in platform rag crawler db proxy convex web docs sandbox sandbox-egress sandbox-runtime; do
             IMAGE="${{ env.REGISTRY }}/${{ github.repository }}/tale-${svc}:${VERSION}-${ARCH}"
             echo "Pulling ${IMAGE}..."
             docker pull "${IMAGE}"
@@ -207,7 +210,20 @@ jobs:
 
     strategy:
       matrix:
-        service: [platform, rag, crawler, db, proxy, convex, web, docs]
+        service:
+          [
+            platform,
+            rag,
+            crawler,
+            db,
+            proxy,
+            convex,
+            web,
+            docs,
+            sandbox,
+            sandbox-egress,
+            sandbox-runtime,
+          ]
 
     steps:
       - name: Login to GHCR
@@ -256,7 +272,7 @@ jobs:
         run: |
           VERSION="${{ needs.prepare.outputs.version_number }}"
           REGISTRY="${{ env.REGISTRY }}/${{ github.repository }}"
-          for svc in platform rag crawler db proxy convex web docs; do
+          for svc in platform rag crawler db proxy convex web docs sandbox sandbox-egress sandbox-runtime; do
             IMAGE="${REGISTRY}/tale-${svc}:${VERSION}"
             echo "Verifying manifest: ${IMAGE}"
             docker manifest inspect "${IMAGE}" > /dev/null 2>&1 || {
@@ -310,13 +326,13 @@ jobs:
         run: |
           echo "## Release ${{ needs.prepare.outputs.version }} Complete" >> "$GITHUB_STEP_SUMMARY"
           echo "" >> "$GITHUB_STEP_SUMMARY"
-          echo "All 8 service images have been built, tested, and pushed to GHCR (native amd64 + arm64)." >> "$GITHUB_STEP_SUMMARY"
+          echo "All 11 service images have been built, tested, and pushed to GHCR (native amd64 + arm64)." >> "$GITHUB_STEP_SUMMARY"
           echo "" >> "$GITHUB_STEP_SUMMARY"
           echo "### Images" >> "$GITHUB_STEP_SUMMARY"
           echo "" >> "$GITHUB_STEP_SUMMARY"
           echo "| Service | Image |" >> "$GITHUB_STEP_SUMMARY"
           echo "|---------|-------|" >> "$GITHUB_STEP_SUMMARY"
-          for svc in platform rag crawler db proxy convex web docs; do
+          for svc in platform rag crawler db proxy convex web docs sandbox sandbox-egress sandbox-runtime; do
             echo "| ${svc} | \`${{ env.REGISTRY }}/${{ github.repository }}/tale-${svc}:${{ needs.prepare.outputs.version_number }}\` |" >> "$GITHUB_STEP_SUMMARY"
           done
           echo "" >> "$GITHUB_STEP_SUMMARY"

.github/workflows/security.yml

@@ -11,6 +11,15 @@ on:
       - 'services/rag/uv.lock'
       - 'services/rag/pyproject.toml'
       - 'packages/*/pyproject.toml'
+      # Dockerfile + dockerignore changes alter what trivy's misconfig
+      # scanner sees on the fs-scan path; .trivyignore.yaml changes can
+      # silently un-suppress findings. Round-2 R2-B11 found this branch
+      # added new Dockerfiles + a trivyignore without re-triggering the
+      # security scan — PRs went out blind.
+      - 'services/*/Dockerfile'
+      - 'services/*/Dockerfile.dockerignore'
+      - '.trivyignore.yaml'
+      - '.trivyignore'
       - '.github/workflows/security.yml'
   push:
     branches:
@@ -22,6 +31,10 @@ on:
       - 'services/rag/uv.lock'
       - 'services/rag/pyproject.toml'
       - 'packages/*/pyproject.toml'
+      - 'services/*/Dockerfile'
+      - 'services/*/Dockerfile.dockerignore'
+      - '.trivyignore.yaml'
+      - '.trivyignore'
       - '.github/workflows/security.yml'
   schedule:
     - cron: '0 3 * * 1' # Monday 03:00 UTC
@@ -83,7 +96,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Run Trivy filesystem scan
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
         with:
           scan-type: 'fs'
           scan-ref: '.'
@@ -93,6 +106,9 @@ jobs:
           exit-code: '0'
           scanners: 'vuln,secret,misconfig'
           ignore-unfixed: true
+          # Per-path misconfig suppressions live in .trivyignore.yaml; the
+          # plain .trivyignore is auto-detected but cannot scope by path.
+          trivyignores: '.trivyignore.yaml'
           # Skip handlebars Dockerfile templates: handlebars syntax confuses
           # the misconfig scanner. The generated Dockerfiles are scanned
           # downstream when each service runs its own build.

.trivyignore.yaml

@@ -0,0 +1,37 @@
+# =============================================================================
+# Trivy Ignore File (YAML)
+# =============================================================================
+# Per-path suppressions for vulnerabilities, misconfigurations, secrets, and
+# licenses. Plain CVE-only entries can also live in `.trivyignore` next to
+# this file; YAML is needed when scoping by `paths`.
+#
+# Docs: https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/
+# Loaded by CI via `trivyignores:` on the trivy-action invocations in
+# .github/workflows/security.yml and .github/workflows/build.yml.
+# =============================================================================
+
+misconfigurations:
+  # AVD-DS-0002: "Image user should not be 'root'"
+  - id: AVD-DS-0002
+    paths:
+      - 'services/sandbox/Dockerfile'
+    statement: |
+      Sandbox spawner needs root inside the container to talk to the mounted
+      /var/run/docker.sock. The docker socket is the security boundary, not
+      the in-container UID. Documented in services/sandbox/Dockerfile.
+  - id: AVD-DS-0002
+    paths:
+      - 'services/sandbox-egress/Dockerfile'
+    statement: |
+      Egress proxy entrypoint runs as root only long enough to chown the log
+      file; tinyproxy itself drops privileges to `nobody` at bind time via
+      tinyproxy.conf. Documented in services/sandbox-egress/Dockerfile.
+
+  # AVD-DS-0026: "No HEALTHCHECK defined"
+  - id: AVD-DS-0026
+    paths:
+      - 'services/sandbox-runtime/Dockerfile'
+    statement: |
+      Sandbox runtime is an ephemeral one-shot image: the spawner runs it per
+      code_run call, entrypoint.sh executes the user code, and the container
+      exits. There is no long-running process to health-check.