Phase 3 — Sandbox Isolation (E2B + Daytona)

[haJ1t]

Phase 3 — Sandbox Isolation (E2B + Daytona)

Secure execution environments for agent operations that involve untrusted input or need isolation. E2B provides Firecracker microVM-level isolation for high-risk operations. Daytona provides Docker container isolation for parallel agent execution.

Dependencies

• Phase 3 — Coordinator Agent and Mastra Agent Network #3728 (Coordinator Agent) — decides which operations need sandboxing
• Phase 3 — Specialized Domain Agents (Risk, Compliance, Vendor, Policy, Incident, Model) #3729 (Specialized Agents) — agents that execute sandboxed operations

Tasks

E2B Integration (Firecracker microVM)

• Install E2B SDK: cd Servers && npm install @e2b/code-interpreter
• Create Servers/advisor/sandbox/e2bSandbox.ts:
  • Initialize E2B sandbox with configurable timeout and memory limits
  • Execute untrusted code/operations in isolated microVM
  • Capture stdout/stderr and return results
  • Auto-cleanup sandbox after execution
• Define E2B use cases:
  • Code execution from AI-generated scripts
  • Document parsing of untrusted uploads (malicious PDF/DOCX defense)
  • External API calls to untrusted third-party services
• Add environment variables: E2B_API_KEY
• Add E2B error handling — timeout, OOM, crash recovery

Daytona Integration (Docker containers)

• Install Daytona SDK: cd Servers && npm install @daytonaio/sdk
• Create Servers/advisor/sandbox/daytonaSandbox.ts:
  • Spin up Docker containers for parallel agent execution
  • Resource limits per container (CPU, memory, network)
  • Shared volume for agent communication (if needed)
  • Container lifecycle management (create, execute, destroy)
• Define Daytona use cases:
  • Parallel execution of multiple agents on complex queries
  • Isolated execution of long-running agent tasks
  • Batch processing (bulk risk analysis, bulk compliance check)
• Add environment variables: DAYTONA_API_KEY, DAYTONA_SERVER_URL

Sandbox Router

• Create Servers/advisor/sandbox/sandboxRouter.ts — decides which sandbox (if any) to use:
  • No sandbox: standard read operations, trusted internal API calls
  • E2B: untrusted code execution, external file parsing, third-party API calls
  • Daytona: parallel multi-agent tasks, batch processing, long-running operations
• Decision factors: operation type, trust level, parallelism need, execution time estimate

Integration with Agents

• Wire sandbox router into tool execution pipeline — before executing a tool, check if sandboxing is needed
• Add sandbox metadata to Langfuse traces — track which operations were sandboxed and why
• Add sandbox cost tracking — E2B and Daytona usage per organization

Sandbox Decision Matrix

Operation	Sandbox	Reason
Read from database	None	Trusted internal operation
Create/update entity	None	Goes through Approval Gateway
Parse uploaded PDF/DOCX	E2B	Untrusted file content
Execute AI-generated code	E2B	Untrusted code
Parallel multi-agent query	Daytona	Isolation + parallelism
Bulk compliance scan	Daytona	Long-running + resource intensive
External API call	E2B	Untrusted external endpoint

File Structure

Servers/advisor/sandbox/
├── e2bSandbox.ts
├── daytonaSandbox.ts
└── sandboxRouter.ts

Branch

feat/ai-foundation

---

Part of Phase 3 — Multi-Agent Orchestration