Execute code in a sandbox
Guides & tutorials2 min read
Run bounded code with an explicit network profile and collect scanned artifacts.
Prepare sandbox templates, run bounded code with explicit limits, and collect the resulting artifacts through the scanned publish path. Prerequisites: a running local stack and E2B configured.
$ pnpm build:e2b:templates$ pnpm readiness:e2b:network- 1
Choose a template and network profile
Pick a purpose-built template for the task and an explicit network profile. Do not default to open egress.
- 2
Set limits
Bound wall-clock time, command output size, files written, resource usage, and artifact size before execution starts.
- 3
Execute the job
CodeAgent plans and reviews the patch; execution itself is delegated to the sandbox, never run inline in the agent runtime.
- 4
Publish artifacts
Upload outputs through the artifact service so they are scanned and scoped before anything is exposed to the run.
- Never inject signing material, connector refresh tokens, service-role keys, or exchange credentials into a sandbox, even for a trusted-looking script.
- A sandbox that will keep working later can be paused; one that finished or looks suspicious should be killed, not left idle.
Collect the artifacts
Artifacts are scoped to org, project, and user, and every one goes through the same scan-and-scope path before it is listed against the run.
const list = await fetch( `http://localhost:3110/v1/runs/${run.runId}/artifacts`, { headers: { authorization: `Bearer ${session.access_token}` } },);const { artifacts } = await list.json();const artifact = await fetch( `http://localhost:3110/v1/artifacts/${artifacts[0].id}`, { headers: { authorization: `Bearer ${session.access_token}` } },);| Method | Endpoint | Notes |
|---|---|---|
| GET | /v1/runs/{run_id}/artifacts | List everything a run produced |
| GET | /v1/artifacts/{id} | Org, project, and user scoped |
Was this page helpful?
Edit on GitHub