# Sandbox Environment

## Overview

The sandbox environment provides a safe space for agents to execute tasks
without affecting production systems. Currently configured to use localhost
(the current VM) as the primary sandbox target.

## Structure

```
/opt/agent-governance/sandbox/
├── README.md           # This file
├── FIRST_TASK.md       # First task for Tier 1 promotion
├── ansible/
│   ├── deploy-service.yml    # Deploy Docker services
│   └── rollback-service.yml  # Rollback deployments
└── terraform/
    └── docker-service/
        └── main.tf           # Terraform Docker provider config
```

## Current Environment

| Component | Status | Port |
|-----------|--------|------|
| Docker | Running | - |
| Vault | Running | 8200 |
| DragonflyDB | Running | 6379 |
| Spark Master | Running | 9944, 7077 |
| Spark Worker | Running | - |
| Redis Cache | Running | 6380 |
| Nginx Proxy | Running | 8888 |
| Prometheus | Running | 9090 |

## Inventory

The sandbox inventory is defined in `/opt/agent-governance/inventory/sandbox.yml`.

**Available Targets:**

| Host | Access | Purpose |
|------|--------|---------|
| localhost | Tier 0-4 | Primary sandbox (current VM) |
| staging-local | Tier 2-4 | Staging (Docker namespace) |

## Usage by Tier

### Tier 0 (Observer)
- Can read inventory and documentation
- Can generate plans using Ansible `--check` mode
- Can run `terraform plan` (no apply)
- Cannot execute any changes

### Tier 1 (Operator)
- Can execute Ansible playbooks on sandbox hosts
- Can run `terraform apply` on sandbox
- Limited to sandbox targets only

### Tier 2+ (Builder, Executor, Architect)
- Full sandbox access
- Staging access
- Production access varies by tier

## Quick Start

### Deploy a Service (Tier 1+)

```bash
# Ansible
ansible-playbook -i /opt/agent-governance/inventory/sandbox.yml \
  /opt/agent-governance/sandbox/ansible/deploy-service.yml \
  -e service_name=my-service \
  -e image=nginx:alpine \
  -e port=8080

# Terraform
cd /opt/agent-governance/sandbox/terraform/docker-service
terraform init
terraform apply -var="service_name=my-service"
```

### Plan Only (Tier 0)

```bash
# Ansible check mode
ansible-playbook --check deploy-service.yml -e service_name=test

# Terraform plan
terraform plan -var="service_name=test"
```

## Future Expansion

When Proxmox is available:
- Add dedicated sandbox VMs (sandbox-vm-01, sandbox-vm-02, sandbox-vm-03)
- Configure network isolation
- Enable snapshot-based rollback
- Add more complex multi-VM scenarios