feat(sandbox): remote & multi-backend sandbox support (Vercel, Daytona, Firecracker)

crates/cli/Cargo.toml

@@ -169,6 +169,7 @@ full = [
   "tls",
   "trusted-network",
   "vault",
+  "vercel-sandbox",
   "voice",
   "wasm",
   "web-ui",
@@ -231,6 +232,7 @@ tls                = ["moltis-httpd/tls"]
 trusted-network    = ["moltis-httpd/trusted-network"]
 vault              = ["moltis-httpd/vault", "moltis-web?/vault"]
 voice              = ["moltis-gateway/voice", "moltis-web?/voice"]
+vercel-sandbox     = ["moltis-tools/vercel-sandbox"]
 wasm               = ["moltis-tools/wasm"]
 web-ui             = ["dep:moltis-web", "moltis-httpd/web-ui"]
 whatsapp           = ["moltis-gateway/whatsapp"]

crates/config/src/schema/tools.rs

@@ -711,6 +711,62 @@ pub struct SandboxConfig {
     /// Acts as layer 6 in the policy resolution chain.
     #[serde(default, skip_serializing_if = "Option::is_none")]
     pub tools_policy: Option<ToolPolicyConfig>,
+
+    // ── Remote sandbox backends ─────────────────────────────────────────
+    /// Vercel API token for the Vercel Sandbox backend.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub vercel_token: Option<String>,
+    /// Vercel project ID.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub vercel_project_id: Option<String>,
+    /// Vercel team ID.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub vercel_team_id: Option<String>,
+    /// Vercel sandbox runtime (e.g. "node24", "python3.13").
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub vercel_runtime: Option<String>,
+    /// Vercel sandbox timeout in milliseconds.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub vercel_timeout_ms: Option<u64>,
+    /// Vercel sandbox vCPU count.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub vercel_vcpus: Option<u32>,
+
+    /// Daytona API key.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub daytona_api_key: Option<String>,
+    /// Daytona API URL (default: https://app.daytona.io/api).
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub daytona_api_url: Option<String>,
+    /// Daytona target region/environment.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub daytona_target: Option<String>,
+    /// Custom image for Daytona sandbox creation.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub daytona_image: Option<String>,
+
+    /// Vercel snapshot ID for fast cold starts.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub vercel_snapshot_id: Option<String>,
+
+    /// Path to the `firecracker` binary (Linux only).
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub firecracker_bin: Option<String>,
+    /// Path to the uncompressed Linux kernel (`vmlinux`).
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub firecracker_kernel: Option<String>,
+    /// Path to the base ext4 rootfs image.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub firecracker_rootfs: Option<String>,
+    /// Path to the SSH private key for VM access.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub firecracker_ssh_key: Option<String>,
+    /// Number of vCPUs per Firecracker VM.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub firecracker_vcpus: Option<u32>,
+    /// Memory in MiB per Firecracker VM.
+    #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub firecracker_memory_mb: Option<u32>,
 }
 
 /// Default packages installed in sandbox containers.
@@ -910,6 +966,23 @@ impl Default for SandboxConfig {
             wasm_epoch_interval_ms: None,
             wasm_tool_limits: None,
             tools_policy: None,
+            vercel_token: None,
+            vercel_project_id: None,
+            vercel_team_id: None,
+            vercel_runtime: None,
+            vercel_timeout_ms: None,
+            vercel_vcpus: None,
+            daytona_api_key: None,
+            daytona_api_url: None,
+            daytona_target: None,
+            daytona_image: None,
+            vercel_snapshot_id: None,
+            firecracker_bin: None,
+            firecracker_kernel: None,
+            firecracker_rootfs: None,
+            firecracker_ssh_key: None,
+            firecracker_vcpus: None,
+            firecracker_memory_mb: None,
         }
     }
 }

crates/gateway/src/approval.rs

@@ -262,6 +262,7 @@ mod tests {
             worktree_branch: None,
             sandbox_enabled: None,
             sandbox_image: None,
+            sandbox_backend: None,
             channel_binding: Some(
                 serde_json::json!({
                     "channel_type": "telegram",
@@ -302,6 +303,7 @@ mod tests {
             worktree_branch: None,
             sandbox_enabled: None,
             sandbox_image: None,
+            sandbox_backend: None,
             channel_binding: Some("{not-json".into()),
             parent_session_key: None,
             fork_point: None,

crates/gateway/src/channel_events/tests.rs

@@ -175,6 +175,7 @@ fn attachable_session_filter_skips_archived_and_cron_sessions() {
         worktree_branch: None,
         sandbox_enabled: None,
         sandbox_image: None,
+        sandbox_backend: None,
         channel_binding: None,
         parent_session_key: None,
         fork_point: None,
@@ -218,6 +219,7 @@ fn format_attachable_sessions_shows_session_keys_when_labels_are_present() {
             worktree_branch: None,
             sandbox_enabled: None,
             sandbox_image: None,
+            sandbox_backend: None,
             channel_binding: None,
             parent_session_key: None,
             fork_point: None,
@@ -242,6 +244,7 @@ fn format_attachable_sessions_shows_session_keys_when_labels_are_present() {
             worktree_branch: None,
             sandbox_enabled: None,
             sandbox_image: None,
+            sandbox_backend: None,
             channel_binding: None,
             parent_session_key: None,
             fork_point: None,

crates/gateway/src/server/prepare_core.rs

@@ -1292,6 +1292,18 @@ pub async fn prepare_gateway_core(
                     .set_image_override(&entry.key, image.clone())
                     .await;
             }
+            if let Some(ref backend) = entry.sandbox_backend
+                && let Err(e) = sandbox_router
+                    .set_backend_override(&entry.key, backend)
+                    .await
+            {
+                tracing::debug!(
+                    session = entry.key,
+                    backend = backend.as_str(),
+                    error = %e,
+                    "skipping persisted sandbox backend override (backend not available)"
+                );
+            }
         }
     }
 

crates/gateway/src/session/service.rs

@@ -559,6 +559,21 @@ impl SessionService for LiveSessionService {
                 }
             }
         }
+        if let Some(sandbox_backend_opt) = p.sandbox_backend {
+            let sandbox_backend = sandbox_backend_opt.filter(|s| !s.is_empty());
+            self.metadata
+                .set_sandbox_backend(key, sandbox_backend.clone())
+                .await;
+            if let Some(ref router) = self.sandbox_router {
+                if let Some(ref name) = sandbox_backend {
+                    if let Err(e) = router.set_backend_override(key, name).await {
+                        warn!(session = key, error = %e, "failed to set sandbox backend override");
+                    }
+                } else {
+                    router.remove_backend_override(key).await;
+                }
+            }
+        }
 
         let entry = self
             .metadata
@@ -573,6 +588,7 @@ impl SessionService for LiveSessionService {
             "archived": entry.archived,
             "sandbox_enabled": entry.sandbox_enabled,
             "sandbox_image": entry.sandbox_image,
+            "sandbox_backend": entry.sandbox_backend,
             "worktree_branch": entry.worktree_branch,
             "mcpDisabled": entry.mcp_disabled,
             "agent_id": entry.agent_id,

crates/gateway/src/session_types.rs

@@ -38,6 +38,8 @@ pub struct PatchParams {
     pub mcp_disabled: Option<Option<bool>>,
     #[serde(default, deserialize_with = "double_option", alias = "sandbox_enabled")]
     pub sandbox_enabled: Option<Option<bool>>,
+    #[serde(default, deserialize_with = "double_option", alias = "sandbox_backend")]
+    pub sandbox_backend: Option<Option<String>>,
 }
 
 /// Deserialize a field as `Some(inner)` when present (even if null),

crates/sessions/migrations/20260430120000_session_sandbox_backend.sql

@@ -0,0 +1 @@
+ALTER TABLE sessions ADD COLUMN sandbox_backend TEXT;

crates/sessions/src/metadata.rs

@@ -34,6 +34,8 @@ pub struct SessionEntry {
     #[serde(default, skip_serializing_if = "Option::is_none")]
     pub sandbox_image: Option<String>,
     #[serde(default, skip_serializing_if = "Option::is_none")]
+    pub sandbox_backend: Option<String>,
+    #[serde(default, skip_serializing_if = "Option::is_none")]
     pub channel_binding: Option<String>,
     #[serde(default, skip_serializing_if = "Option::is_none")]
     pub parent_session_key: Option<String>,
@@ -132,6 +134,7 @@ impl SessionMetadata {
                 worktree_branch: None,
                 sandbox_enabled: None,
                 sandbox_image: None,
+                sandbox_backend: None,
                 channel_binding: None,
                 parent_session_key: None,
                 fork_point: None,
@@ -207,6 +210,15 @@ impl SessionMetadata {
         }
     }
 
+    /// Set the sandbox_backend override for a session.
+    pub fn set_sandbox_backend(&mut self, key: &str, backend: Option<String>) {
+        if let Some(entry) = self.entries.get_mut(key) {
+            entry.sandbox_backend = backend;
+            entry.updated_at = now_ms();
+            entry.version += 1;
+        }
+    }
+
     /// Set the mcp_disabled override for a session.
     pub fn set_mcp_disabled(&mut self, key: &str, disabled: Option<bool>) {
         if let Some(entry) = self.entries.get_mut(key) {
@@ -317,6 +329,7 @@ struct SessionRow {
     worktree_branch: Option<String>,
     sandbox_enabled: Option<i32>,
     sandbox_image: Option<String>,
+    sandbox_backend: Option<String>,
     channel_binding: Option<String>,
     parent_session_key: Option<String>,
     fork_point: Option<i32>,
@@ -344,6 +357,7 @@ impl From<SessionRow> for SessionEntry {
             worktree_branch: r.worktree_branch,
             sandbox_enabled: r.sandbox_enabled.map(|v| v != 0),
             sandbox_image: r.sandbox_image,
+            sandbox_backend: r.sandbox_backend,
             channel_binding: r.channel_binding,
             parent_session_key: r.parent_session_key,
             fork_point: r.fork_point.map(|v| v as u32),
@@ -409,6 +423,7 @@ impl SqliteSessionMetadata {
                 worktree_branch TEXT,
                 sandbox_enabled     INTEGER,
                 sandbox_image       TEXT,
+                sandbox_backend     TEXT,
                 channel_binding     TEXT,
                 parent_session_key  TEXT,
                 fork_point          INTEGER,
@@ -650,6 +665,22 @@ impl SqliteSessionMetadata {
         });
     }
 
+    pub async fn set_sandbox_backend(&self, key: &str, backend: Option<String>) {
+        let now = now_ms() as i64;
+        sqlx::query(
+            "UPDATE sessions SET sandbox_backend = ?, updated_at = ?, version = version + 1 WHERE key = ?",
+        )
+        .bind(&backend)
+        .bind(now)
+        .bind(key)
+            .execute(&self.pool)
+            .await
+            .ok();
+        self.emit(crate::session_events::SessionEvent::Patched {
+            session_key: key.to_string(),
+        });
+    }
+
     pub async fn set_worktree_branch(&self, key: &str, branch: Option<String>) {
         let now = now_ms() as i64;
         sqlx::query(

crates/tools/Cargo.toml

@@ -5,7 +5,8 @@ version.workspace = true
 
 [features]
 bundled-skills = ["moltis-skills/bundled-skills"]
-default        = ["firecrawl", "fs-tools", "metrics", "wasm"]
+default        = ["firecrawl", "fs-tools", "metrics", "vercel-sandbox", "wasm"]
+vercel-sandbox = ["dep:flate2"]
 embedded-wasm = []
 firecrawl     = []
 # Native filesystem tools (Read, Write, Edit, MultiEdit, Glob, Grep).
@@ -27,6 +28,7 @@ anyhow                = { workspace = true }
 async-trait           = { workspace = true }
 base64                = { workspace = true }
 bytes                 = { workspace = true }
+flate2                = { optional = true, workspace = true }
 futures               = { workspace = true }
 globset               = { optional = true, workspace = true }
 grep-matcher          = { optional = true, workspace = true }

crates/tools/src/exec.rs

@@ -457,7 +457,8 @@ impl AgentTool for ExecTool {
         // fail with ENOENT on the host, so we must fall back to the host
         // data directory.
         let has_container_backend = if let Some(ref router) = self.sandbox_router {
-            router.backend().provides_fs_isolation()
+            let sk = session_key.unwrap_or("main");
+            router.resolve_backend(sk).await.provides_fs_isolation()
         } else {
             self.sandbox.provides_fs_isolation()
         };
@@ -603,7 +604,7 @@ impl AgentTool for ExecTool {
             if is_sandboxed {
                 let id = router.sandbox_id_for(sk);
                 let image = router.resolve_image(sk, None).await;
-                let backend = router.backend();
+                let backend = router.resolve_backend(sk).await;
                 info!(session = sk, sandbox_id = %id, backend = backend.backend_name(), image, "sandbox ensure_ready");
                 let announce_prepare = router.mark_preparing_once(sk).await;
                 if announce_prepare {
@@ -633,6 +634,26 @@ impl AgentTool for ExecTool {
                         backend: backend.backend_name().to_string(),
                         image: image.clone(),
                     });
+
+                    // Sync workspace for isolated backends on first run.
+                    if backend.is_isolated()
+                        && let Some(host_workspace) =
+                            crate::sandbox::sync::resolve_sync_workspace(router.config(), &id)
+                        && let Err(e) = crate::sandbox::sync::sync_in(
+                            &*backend,
+                            &id,
+                            &host_workspace,
+                            crate::sandbox::sync::DEFAULT_SANDBOX_WORKSPACE,
+                        )
+                        .await
+                    {
+                        warn!(
+                            session = sk,
+                            sandbox_id = %id,
+                            error = %e,
+                            "workspace sync-in failed, sandbox starts with empty workspace"
+                        );
+                    }
                 }
                 debug!(session = sk, sandbox_id = %id, command, "sandbox running command");
                 let mut sandbox_result = backend.exec(&id, command, &opts).await?;

crates/tools/src/process.rs

@@ -133,7 +133,7 @@ impl ProcessTool {
             if is_sandboxed {
                 let id = router.sandbox_id_for(session_key);
                 let image = router.resolve_image(session_key, None).await;
-                let backend = router.backend();
+                let backend = router.resolve_backend(session_key).await;
                 backend.ensure_ready(&id, Some(&image)).await?;
                 return Ok(backend.exec(&id, &command, &opts).await?);
             }