feat: add sandbox_agent with per-context workspace isolation

a2a/sandbox_agent/Dockerfile

@@ -0,0 +1,37 @@
+FROM python:3.12-slim-bookworm
+ARG RELEASE_VERSION="main"
+
+# Install system tools for sandboxed execution
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    curl \
+    jq \
+    && rm -rf /var/lib/apt/lists/* \
+    # Install GitHub CLI
+    && curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
+       -o /usr/share/keyrings/githubcli-archive-keyring.gpg \
+    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
+       > /etc/apt/sources.list.d/github-cli.list \
+    && apt-get update && apt-get install -y --no-install-recommends gh \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install uv
+RUN pip install --no-cache-dir uv
+
+WORKDIR /app
+ARG CACHE_BUST
+COPY . .
+RUN uv sync --no-cache --locked --link-mode copy
+
+ENV PRODUCTION_MODE=True \
+    RELEASE_VERSION=${RELEASE_VERSION} \
+    GH_CACHE_DIR=/workspace/.gh-cache \
+    XDG_CACHE_HOME=/workspace/.cache
+
+# Create workspace and set permissions.
+# Use chmod g+w so OCP arbitrary UIDs (same group) can write to /app.
+RUN mkdir -p /workspace /workspace/.gh-cache /workspace/.cache \
+    && chown -R 1001:0 /app /workspace && chmod -R g+w /app /workspace
+USER 1001
+
+CMD ["uv", "run", "--no-sync", "server"]

a2a/sandbox_agent/README.md

@@ -0,0 +1 @@
+# Sandbox Agent

a2a/sandbox_agent/pyproject.toml

@@ -0,0 +1,38 @@
+[project]
+name = "sandbox-agent"
+version = "0.0.1"
+description = "LangGraph agent with sandboxed shell execution and per-context workspace isolation."
+authors = []
+readme = "README.md"
+license = { text = "Apache" }
+requires-python = ">=3.11"
+dependencies = [
+    "a2a-sdk[http-server,postgresql]>=0.2.16",
+    "langgraph>=0.2.55",
+    "langchain-community>=0.3.9",
+    "langchain-openai>=0.3.7",
+    "langgraph-checkpoint-postgres>=2.0.0",
+    "asyncpg>=0.30.0",
+    "psycopg[binary]>=3.1.0",
+    "pydantic-settings>=2.8.1",
+    "opentelemetry-exporter-otlp",
+    "opentelemetry-instrumentation-starlette",
+    "openinference-instrumentation-langchain>=0.1.27",
+    "opentelemetry-instrumentation-openai>=0.34b0",
+    "httpx>=0.27.0",
+    "uvicorn>=0.40.0",
+    "starlette>=0.52.1",
+]
+
+[project.scripts]
+server = "sandbox_agent.agent:run"
+
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[dependency-groups]
+dev = [
+    "pytest>=9.0.2",
+    "pytest-asyncio>=1.3.0",
+]

a2a/sandbox_agent/settings.json

@@ -0,0 +1,20 @@
+{
+  "_comment": "Agent sandbox operation settings. Operations not in allow or deny go through HITL.",
+  "context_workspace": "/workspace/${CONTEXT_ID}",
+  "permissions": {
+    "allow": [
+      "shell(*:*)",
+      "network(outbound:*)",
+      "file(read:${WORKSPACE}/**)", "file(write:${WORKSPACE}/**)",
+      "file(delete:${WORKSPACE}/**)"
+    ],
+    "deny": [
+      "shell(rm -rf /:*)", "shell(rm -rf /*:*)", "shell(sudo:*)",
+      "shell(chmod 777:*)",
+      "shell(nc:*)", "shell(ncat:*)",
+      "file(read:/etc/shadow:*)", "file(write:/etc/**:*)",
+      "file(read:/proc/**:*)", "shell(mount:*)", "shell(umount:*)",
+      "shell(chroot:*)", "shell(nsenter:*)"
+    ]
+  }
+}

a2a/sandbox_agent/sources.json

@@ -0,0 +1,32 @@
+{
+  "_comment": "Declares what this agent can access and install. Baked into agent image.",
+  "agent_type": "python-data-agent",
+  "package_managers": {
+    "pip": {
+      "enabled": true,
+      "registries": [
+        {"name": "pypi", "url": "https://pypi.org/simple/", "trusted": true}
+      ],
+      "max_install_size_mb": 500,
+      "blocked_packages": ["subprocess32", "pyautogui"]
+    },
+    "conda": {"enabled": false},
+    "npm": {"enabled": false}
+  },
+  "web_access": {
+    "enabled": true,
+    "allowed_domains": ["github.com", "api.github.com", "raw.githubusercontent.com", "pypi.org", "huggingface.co", "docs.python.org"],
+    "blocked_domains": ["*.internal", "metadata.google.internal"]
+  },
+  "git": {
+    "enabled": true,
+    "allowed_remotes": ["https://github.com/*", "https://gitlab.com/*"],
+    "max_clone_size_mb": 1000
+  },
+  "runtime": {
+    "languages": ["python3.11", "bash"],
+    "interpreters": {"python": "/usr/bin/python3", "bash": "/bin/bash"},
+    "max_execution_time_seconds": 300,
+    "max_memory_mb": 2048
+  }
+}