Sandbox backends
What you'll find here
The craik.sandbox_backend contract — what it records, how isolation
modes pair with backend kinds, the policy boundary, and the
provider-neutrality rule.
Metadata-only.
The contract does not execute commands, start containers, connect to remote hosts, drive browsers, load secrets, or grant authority by itself.
What it records
Stable backend id and name
Backend kind
local_process · container · remote_shell · browser_tool.
Isolation mode
process · container · remote · browser.
Capability names & operations
Policy requirements
Envelopes · grants · receipts · redaction.
Non-secret runtime references
And metadata.
Documentation links
Isolation modes
Backend kind and isolation mode must match.
| Backend kind | Isolation mode |
|---|---|
local_process | process |
container | container |
remote_shell | remote |
browser_tool | browser |
This keeps local, containerized, remote shell, and browser/tool execution paths comparable while preserving their different trust boundaries.
Policy boundary
Every declared capability requires both a grant and a receipt.
Sandbox backends require policy envelopes, capability grants, receipts, and redaction.
Provider neutrality
Sandbox backend records must not contain provider ids, model routing choices, or secret-like metadata keys.
Provider routing
Chooses a model provider.
Sandbox routing
Chooses an execution backend.
Those decisions stay separate so policy can audit each boundary independently.
Backend pages
Local process backend
Host process execution boundaries.
Remote shell backend
SSH and remote command boundaries.
Browser tool boundary
Browser automation and tool execution boundaries.
Docker sandbox backend
Containerized execution boundaries.