feat: add microsandbox sandbox flow and feature flag toggle (#1446)

* add pre-baked microsandbox image Bake openwork, openwork-server, and the pinned opencode binary into a single Docker image so micro-sandbox remote-connect smoke tests can boot quickly and be verified with curl and container health checks. * add Rust microsandbox example Add a standalone microsandbox SDK example that boots the OpenWork image, validates remote-connect endpoints, and streams sandbox logs so backend-only sandbox behavior can be exercised without Docker. * exclude Rust example build output Keep the standalone microsandbox example in git, but drop generated Cargo target artifacts so the branch only contains source, docs, and lockfile. * test * add microsandbox feature flag for sandbox creation Made-with: Cursor * refactor sandbox mode isolation Made-with: Cursor
2026-05-05 06:42:03 +02:00 · 2026-04-15 15:10:52 -07:00
parent 9bd844c93d
commit 800602f4e3
27 changed files with 7120 additions and 38 deletions
--- a/packaging/docker/Dockerfile.microsandbox
+++ b/packaging/docker/Dockerfile.microsandbox
@@ -0,0 +1,71 @@
+FROM node:22-bookworm-slim AS openwork-builder
+
+WORKDIR /src
+
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends ca-certificates curl git unzip \
+  && npm install -g bun \
+  && corepack enable \
+  && rm -rf /var/lib/apt/lists/*
+
+COPY . .
+
+RUN pnpm install --frozen-lockfile --filter openwork-orchestrator... --filter openwork-server... \
+  && pnpm --filter openwork-orchestrator build:bin \
+  && pnpm --filter openwork-server build:bin
+
+FROM node:22-bookworm-slim
+
+ARG OPENWORK_ORCHESTRATOR_VERSION
+ARG OPENWORK_SERVER_VERSION
+ARG OPENCODE_VERSION
+ARG OPENCODE_DOWNLOAD_URL=
+
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends ca-certificates curl tar unzip \
+  && rm -rf /var/lib/apt/lists/*
+
+COPY --from=openwork-builder /src/apps/orchestrator/dist/bin/openwork /usr/local/bin/openwork
+COPY --from=openwork-builder /src/apps/server/dist/bin/openwork-server /usr/local/bin/openwork-server
+COPY --from=openwork-builder /src/constants.json /usr/local/constants.json
+COPY packaging/docker/microsandbox-entrypoint.sh /usr/local/bin/microsandbox-entrypoint.sh
+
+RUN set -eux; \
+  test -n "$OPENWORK_ORCHESTRATOR_VERSION"; \
+  test -n "$OPENWORK_SERVER_VERSION"; \
+  test -n "$OPENCODE_VERSION"; \
+  arch="$(dpkg --print-architecture)"; \
+  case "$arch" in \
+    amd64) asset="opencode-linux-x64-baseline.tar.gz" ;; \
+    arm64) asset="opencode-linux-arm64.tar.gz" ;; \
+    *) echo "unsupported architecture: $arch" >&2; exit 1 ;; \
+  esac; \
+  url="$OPENCODE_DOWNLOAD_URL"; \
+  if [ -z "$url" ]; then \
+    url="https://github.com/anomalyco/opencode/releases/download/v${OPENCODE_VERSION}/${asset}"; \
+  fi; \
+  tmpdir="$(mktemp -d)"; \
+  curl -fsSL "$url" -o "$tmpdir/$asset"; \
+  tar -xzf "$tmpdir/$asset" -C "$tmpdir"; \
+  binary="$(find "$tmpdir" -type f -name opencode | head -n 1)"; \
+  test -n "$binary"; \
+  install -m 0755 "$binary" /usr/local/bin/opencode; \
+  chmod +x /usr/local/bin/microsandbox-entrypoint.sh; \
+  rm -rf "$tmpdir"
+
+RUN test "$(openwork --version)" = "$OPENWORK_ORCHESTRATOR_VERSION" \
+  && test "$(openwork-server --version)" = "$OPENWORK_SERVER_VERSION" \
+  && opencode --version
+
+ENV OPENWORK_DATA_DIR=/data/openwork-orchestrator
+ENV OPENWORK_SIDECAR_DIR=/data/sidecars
+ENV OPENWORK_WORKSPACE=/workspace
+
+EXPOSE 8787
+
+VOLUME ["/workspace", "/data"]
+
+HEALTHCHECK --interval=10s --timeout=5s --start-period=20s --retries=12 \
+  CMD /bin/sh -c 'curl -fsS "http://127.0.0.1:${OPENWORK_PORT:-8787}/health" >/dev/null || exit 1'
+
+ENTRYPOINT ["/usr/local/bin/microsandbox-entrypoint.sh"]