Air-gapped local sandbox backend (alternative to Cloudflare Sandboxes)

[danielsmithdevelopment]

Goal

Support strictly local / air-gapped code execution for sandbox_exec-class workloads without relying on Cloudflare Sandboxes + Workers bridge — for labs that cannot depend on cloud sandboxes.

Motivation

Enterprise local-first deployments (see ClawQL-Agent project-status.md) may require:

• No outbound to Cloudflare for execution
• Comparable isolation guarantees (filesystem, network egress controls, resource limits)

Possible directions (RFC)

• gVisor (runsc) or Kata-style VMs behind a small API
• Docker-in-Docker or rootless Docker with tight seccomp/AppArmor profiles
• Firecracker microVMs (heavier ops)

Acceptance criteria

• Architecture note comparing trade-offs vs current Cloudflare path.
• Spike: one local backend with session semantics roughly aligned with existing sandbox_exec (persistent session id, languages, fs scope).
• Security checklist: network policy, secret mounts, CPU/RAM caps.

Related

• Existing cloud sandbox_exec implementation
• ClawQL-Agent issue on Mesh + Sandboxes for hybrid connectivity (optional overlay)

[danielsmithdevelopment]

Closing as delivered: local sandbox_exec backends ship without Cloudflare — CLAWQL_SANDBOX_BACKEND=macos-seatbelt (sandbox-exec + Seatbelt on macOS), docker / podman OCI (including isolated network options), and auto (Seatbelt → Docker → bridge). Register the tool with CLAWQL_ENABLE_SANDBOX=1 (#207). Linux hosts without a container CLI still use bridge or omit sandbox; reopen or file a follow-up if you want an additional backend (e.g. gVisor-only, WASM).