22

Execute code in a sandbox

Guides & tutorials2 min read

Run bounded code with an explicit network profile and collect scanned artifacts.

Prepare sandbox templates, run bounded code with explicit limits, and collect the resulting artifacts through the scanned publish path. Prerequisites: a running local stack and E2B configured.

Sandbox readiness
$ pnpm build:e2b:templates$ pnpm readiness:e2b:network
  1. 1

    Choose a template and network profile

    Pick a purpose-built template for the task and an explicit network profile. Do not default to open egress.

  2. 2

    Set limits

    Bound wall-clock time, command output size, files written, resource usage, and artifact size before execution starts.

  3. 3

    Execute the job

    CodeAgent plans and reviews the patch; execution itself is delegated to the sandbox, never run inline in the agent runtime.

  4. 4

    Publish artifacts

    Upload outputs through the artifact service so they are scanned and scoped before anything is exposed to the run.

  • Never inject signing material, connector refresh tokens, service-role keys, or exchange credentials into a sandbox, even for a trusted-looking script.
  • A sandbox that will keep working later can be paused; one that finished or looks suspicious should be killed, not left idle.

Collect the artifacts

Artifacts are scoped to org, project, and user, and every one goes through the same scan-and-scope path before it is listed against the run.

List and fetch artifacts
const list = await fetch(  `http://localhost:3110/v1/runs/${run.runId}/artifacts`,  { headers: { authorization: `Bearer ${session.access_token}` } },);const { artifacts } = await list.json();const artifact = await fetch(  `http://localhost:3110/v1/artifacts/${artifacts[0].id}`,  { headers: { authorization: `Bearer ${session.access_token}` } },);
MethodEndpointNotes
GET/v1/runs/{run_id}/artifactsList everything a run produced
GET/v1/artifacts/{id}Org, project, and user scoped

Was this page helpful?

Edit on GitHub