Feat/k8s sandbox

[pedrofrxncx]

What is this contribution about?

Describe your changes and why they're needed.

Screenshots/Demonstration

Add screenshots or a Loom video if your changes affect the UI.

How to Test

Provide step-by-step instructions for reviewers to test your changes:

1. Step one
2. Step two
3. Expected outcome

Migration Notes

If this PR requires database migrations, configuration changes, or other setup steps, document them here. Remove this section if not applicable.

Review Checklist

• PR title is clear and descriptive
• Changes are tested and working
• Documentation is updated (if needed)
• No breaking changes

---

Summary by cubic

Adds a Kubernetes sandbox runner and moves repo bootstrap to run in the background with live setup logs. Mesh/SDK accept runnerKind: "kubernetes"; the daemon adds a per-boot bootId, and the image bumps to Bun 1.3.11.

• New Features

  • Kubernetes runner: KubernetesSandboxRunner in mesh-plugin-user-sandbox/runner/k8s (opt in with MESH_SANDBOX_RUNNER=kubernetes). Uses per-claim DAEMON_TOKEN, Bun-native TLS fetch with kubeconfig creds, readiness watch, and deterministic local port-forward; supports previewUrlPattern for ingress-based previews, and refreshes claim TTL via shutdownTime. Rehydrates state and forces re-bootstrap if bootId changes. Added @kubernetes/client-node, loaded only when this runner is used.
  • Bootstrap/logs: run repo bootstrap in the background for Docker and Kubernetes; persist the handle before clone so /api/sandbox/<handle> resolves immediately; stream setup logs via logSource: "setup" over the daemon’s SSE ring.
  • Mesh app/SDK: widened runnerKind to include "kubernetes" across API, tools, UI, and VmMapEntry; sandbox proxy now accepts "kubernetes". Mesh dynamically imports mesh-plugin-user-sandbox/runner/k8s only when selected.
  • Daemon/image: /health returns bootId; /bash accepts logSource and streams output; log splitting handles CR/LF; dev server sets CI=1 to avoid TTY prompts; Bun upgraded to 1.3.11.

• Migration

  • Default remains Docker; no changes required.
  • To try k8s locally: run deploy/k8s-sandbox/local/up.sh, set MESH_SANDBOX_RUNNER=kubernetes, start Mesh. Use reload-image.sh to iterate and smoke.ts to verify. Tear down with down.sh.

^{Written for commit 4c63497. Summary will update on new commits.}

[github-actions]

Release Options

Suggested: Patch (2.275.2) — default (no conventional commit prefix detected)

React with an emoji to override the release type:

Reaction	Type	Next Version
👍	Prerelease	2.275.2-alpha.1
🎉	Patch	2.275.2
❤️	Minor	2.276.0
🚀	Major	3.0.0

Current version: 2.275.1

Note: If multiple reactions exist, the smallest bump wins. If no reactions, the suggested bump is used (default: patch).

[github-actions]

🧪 Benchmark

Should we run the Virtual MCP strategy benchmark for this PR?

React with 👍 to run the benchmark.

Reaction	Action
👍	Run quick benchmark (10 & 128 tools)

Benchmark will run on the next push after you react.

[tlgimenes]

Heads up — PR #3178 lands a unified daemon codebase at packages/sandbox/daemon/ shared by freestyle and docker, shipped as a single daemon/dist/daemon.js bundle. Once it merges, your K8s runner can COPY (or mount) the same bundle instead of duplicating image/daemon.mjs.

The unified daemon already exposes /health with bootId for restart detection, so your runner can drop that bit and consume it from the shared surface. Paths are /_decopilot_vm/* with base64-wrapped bodies everywhere.

Happy to pair on the rebase when #3178 is in — should be small for the k8s side since the daemon contract is the same across runners.