Runtime Sandbox Hardening

Understand runtime quotas, scoped secrets, loopback preview, artifact capture, abuse controls, and sandbox audit events

Runtime Sandbox Hardening

Runtime Sandbox Hardening defines the trust boundary for Workspace server-side execution. Runtime workspaces still use the local-process provider for development, but every start request is now evaluated before files are staged or commands run.

Each runtime sandbox carries:

  • A trust boundary that identifies the provider as host_local_process.
  • File count, per-file size, total byte, command length, command timeout, and log tail quotas.
  • A loopback-only preview declaration for 127.0.0.1/localhost.
  • A database-only secret scope so host secrets are stripped from process env.
  • Abuse controls for path traversal, destructive shell commands, tunneling commands, nested orchestration, and runtime artifact capture.
  • Runtime artifacts for workspace snapshot metadata, logs, metadata JSON, and artifact manifest.
  • Sandbox audit events for start, refresh, stop, restart, denial, expiration, and artifact capture.

The provider-backed /api/sandbox/* API uses a parallel hardening report for hosted container providers. It clamps template resource overrides, normalizes workspace paths, redacts user-provided secret env keys by default, blocks dangerous shell commands before provider execution, and returns hardening metadata from provision, status, exec, file, and keep-alive responses.

Enforcement Points

The runtime executor checks:

ControlBehavior
Workspace pathsRejects empty, null-byte, or .. paths before staging
File quotasRejects workspaces above file, per-file byte, or total byte limits
CommandsRejects overlong commands and blocked shell patterns such as tunnels, remote shells, nested containers, and destructive filesystem operations
EnvironmentBuilds a scoped env with PATH, preview variables, cache/tmp dirs, runtime markers, and workspace database env only
LogsReads bounded log tails instead of loading unbounded runtime logs
ArtifactsWrites a runtime artifact manifest for post-run inspection
AuditEmits append-only runtime audit events through the admin audit surface
Provider APIAdds sandbox hardening reports and per-session audit events around /api/sandbox/* operations

Secret Scope

The executor no longer inherits process.env wholesale. Host keys containing sensitive patterns such as SECRET, TOKEN, PASSWORD, OPENAI, ANTHROPIC, GEMINI, CLERK, STRIPE, REDIS, BLOB, DATABASE_URL, and DIRECT_URL are recorded as stripped and are not injected.

Workspace database env is still allowed because it is provisioned for the sandbox. The runtime state records the injected key names, not their values.

Artifact Manifest

Each started sandbox writes:

.reformcode-runtime.log
.reformcode-runtime.json
.reformcode-runtime-artifacts.json

The artifact manifest captures file count, total staged bytes, trust boundary metadata, and artifact paths. This gives operators enough evidence to debug runtime behavior without exposing host secrets.

Admin Audit

Runtime actions are recorded as audit events:

  • runtime.started
  • runtime.refreshed
  • runtime.stopped
  • runtime.restarted
  • runtime.denied
  • runtime.failed
  • runtime.artifact_captured

Use the Admin Audit Log to filter by the runtime category when investigating sandbox activity.