Skip to content

config

config

Sandbox configuration — plain dataclass for standalone and embedded use.

:class:SandboxConfig captures directory paths and settings that sandbox modules need. In standalone terok-sandbox use, it is resolved from environment variables and XDG defaults. When embedded in terok, the orchestration layer constructs it from :func:core.config values.

SandboxConfig(state_dir=_state_root(), runtime_dir=_runtime_root(), config_dir=_config_root(), credentials_dir=_credentials_root(), gate_port=9418, proxy_port=18731, ssh_agent_port=18732, shield_profiles=('dev-standard',), shield_audit=True, shield_bypass=False) dataclass

Immutable configuration for the sandbox layer.

All paths default to the XDG/FHS-resolved values from :mod:paths. Override individual fields when constructing from terok's global config or when using terok-sandbox standalone.

state_dir = field(default_factory=_state_root) class-attribute instance-attribute

Writable state root (tokens, gate repos, task data).

runtime_dir = field(default_factory=_runtime_root) class-attribute instance-attribute

Transient runtime directory (PID files, sockets).

config_dir = field(default_factory=_config_root) class-attribute instance-attribute

Sandbox-scoped configuration root.

Note: shield profiles are resolved by :attr:shield_profiles_dir via :func:~terok_sandbox.paths.umbrella_config_root, not from this directory.

credentials_dir = field(default_factory=_credentials_root) class-attribute instance-attribute

Shared credentials directory (DB, routes, env mounts).

gate_port = 9418 class-attribute instance-attribute

HTTP port for the gate server.

proxy_port = 18731 class-attribute instance-attribute

TCP port for the credential proxy (container access).

ssh_agent_port = 18732 class-attribute instance-attribute

TCP port for the SSH agent proxy (container access).

shield_profiles = ('dev-standard',) class-attribute instance-attribute

Shield egress firewall profile names.

shield_audit = True class-attribute instance-attribute

Whether shield audit logging is enabled.

shield_bypass = False class-attribute instance-attribute

DANGEROUS: when True, the egress firewall is completely disabled.

gate_base_path property

Return the gate server's repo base path.

token_file_path property

Return the path to the gate token file.

pid_file_path property

Return the PID file path for the managed gate daemon.

shield_profiles_dir property

Return the directory for terok-managed shield profiles.

proxy_db_path property

Return the path to the credential proxy sqlite3 database.

proxy_socket_path property

Return the Unix socket path for the credential proxy.

proxy_pid_file_path property

Return the PID file path for the managed credential proxy daemon.

proxy_routes_path property

Return the path to the proxy route configuration JSON.

ssh_keys_dir property

Return the base directory for per-project SSH keys.

ssh_keys_json_path property

Return the path to the SSH key mapping JSON.