feat(DATAGO-126152): Secure Tool Runtime (STR) sandbox worker#1086
Draft
mo-radwan1 wants to merge 4 commits intomainfrom
Draft
feat(DATAGO-126152): Secure Tool Runtime (STR) sandbox worker#1086mo-radwan1 wants to merge 4 commits intomainfrom
mo-radwan1 wants to merge 4 commits intomainfrom
Conversation
Implement broker-based remote tool execution via bubblewrap-sandboxed worker containers. Agents delegate tool calls over Solace to a sandbox worker that executes customer-uploaded Python tools in isolated namespaces with resource limits. Key components: - sandbox-worker/: Container image (Dockerfile, entrypoint, build/run scripts) - sandbox/app.py, component.py: Worker application and message handling - sandbox/sandbox_runner.py: bwrap subprocess lifecycle and artifact I/O - sandbox/tool_runner.py: In-sandbox tool function executor with type-aware injection - sandbox/context_facade.py: ToolContextFacade API backed by local FS and named pipes - sandbox/manifest.py: YAML tool manifest with auto-reload and wheel installation - sandbox/protocol.py: JSON-RPC 2.0 request/response models - sandbox/storage/: S3/GCS/Azure sync clients for tool file distribution - sandbox/tool_sync_service.py: Background ETag-based incremental sync - agent/tools/executors/sandboxed_executor.py: Agent-side executor (sam_remote) - common/a2a/protocol.py: Solace topic helpers for invoke/response/status routing
…-str-broker-executor
…ecks - Add HTTP health server with K8s startup/readiness/liveness probes - Switch from --ro-bind / / to whitelist filesystem mounts (only /usr, /lib, /bin, /sbin, select /etc files, and tool source directory) - Add --unshare-user to run sandboxed code as nobody (uid 65534) - Add --tmpfs /var/run/secrets to hide K8s service account tokens - Add path traversal protection for artifact filenames - Add RLIMIT_NPROC to all sandbox profiles (fork bomb prevention) - Add disk space checks and stale work directory cleanup - Move auth validation before request parsing in component - Add RESOURCE_EXHAUSTED error code to protocol - Remove curl from final image to reduce attack surface - Add sandbox unit tests
…-str-broker-executor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Details
Sandbox Worker
get_config(),get_secret()for tool authorsSandboxed Executor
sandboxed_executor.py) for SAM agents to invoke STR-hosted toolsObject Storage Abstraction
services/platform/storage/— async clients for S3, GCS, Azure (platform service side)sandbox/storage/— sync clients for S3, GCS, Azure (sandbox worker side)A2A Protocol Extensions
Test plan
sam task sendctx.get_config()