feat: add generic sandbox provider framework

[zouyonghe]

Summary

This PR turns sandbox computer-use runtimes into plugin-provided providers instead of shipping CUA, Shipyard, Shipyard Neo, Boxlite, and Bay implementations directly in core. Core now owns the provider-agnostic sandbox lifecycle, registry, lease/occupancy model, generic agent tools, dashboard management APIs, and plugin contract; runtime-specific code moves to external sandbox driver plugins.

The agent-facing sandbox API is consolidated into three generic tools:

• astrbot_sandbox_query: list_sandboxes, get_current, list_providers
• astrbot_sandbox_lifecycle: create, switch, release, renew_lease, set_retention, takeover, destroy
• astrbot_sandbox_operation: capture_screenshot, copy_file

Provider-specific tools remain possible for capabilities that are genuinely provider-specific, such as CUA mouse/keyboard actions or Shipyard Neo skill/browser operations. Screenshot is now a common sandbox operation through astrbot_sandbox_operation(action="capture_screenshot"), not a CUA-specific tool.

Architecture

Core now exposes a provider framework under astrbot.core.computer:

• SandboxProvider defines the runtime adapter protocol.
• SandboxManager owns lifecycle operations, leases, cleanup scheduling, provider selection, persistent reconnect, and runtime booter state.
• SandboxRegistry persists managed sandbox records, current sandbox bindings, default sandbox ids, lease holders, retention policy, status, capabilities, and tool metadata.
• SandboxRecord / SandboxStatus normalize persisted and API-facing sandbox state.
• sandbox_timeouts centralizes lease, idle, and TTL timeout parsing/formatting.
• sandbox_tool_binding marks provider-specific tools with provider metadata and exposes their config tags to the dashboard.

The old embedded runtime modules were removed from core:

• CUA booters/tools
• Shipyard booters/tools
• Shipyard Neo booters/tools
• Boxlite booter
• Bay manager booter
• runtime-specific config metadata in core defaults

Runtime implementations are expected to live in sandbox driver plugins and register themselves with register_sandbox_provider(...).

Lifecycle Design

Sandbox lifecycle is now explicit and stateful:

• creating: the sandbox record exists and background boot is in progress.
• running: a booter is available and the sandbox can be used.
• error: create/reconnect/destroy health checks failed and the record is preserved for visibility.
• stopping: destroy is in progress.
• stopped: a persistent sandbox was shut down but its record remains.
• unknown: persisted state exists, but runtime availability must be reconciled.

Dashboard-created sandboxes return immediately as creating and boot in the background. The dashboard polls status instead of blocking the request. Action buttons are guarded when a sandbox is not runnable, and backend routes return state-aware errors for creating/stopping/stopped/error sandboxes.

Persistent sandboxes can be reconnected on startup, switch, takeover, or observer access when the provider supports it. Temporary sandbox records are pruned on startup. Persistent records are preserved across restart and can be reconciled without eagerly destroying user state.

Occupancy, Leases, and Renewal

Sandbox access is guarded by a session-scoped occupancy lease:

• create, switch, and takeover acquire a lease for the requesting session.
• Successful sandbox-bound operations automatically renew the lease to now + sandbox_lease_timeout.
• The default lease timeout remains 600 seconds and is configurable through provider_settings.sandbox.sandbox_lease_timeout.
• 0 disables automatic expiry and requires manual release.
• When a lease expires, the session no longer has a current sandbox. get_current returns no current sandbox, and renew_lease cannot resurrect the expired lease.
• After expiry, agents must use list_sandboxes and then explicitly switch, takeover, or create before continuing sandbox work.
• Tool results for sandbox-bound operations include lease metadata such as lease_expires_at, lease_expires_in_seconds, and auto_renew_interval_seconds.
• release clears the current session occupancy.
• takeover lets a session explicitly take control of a sandbox, with state and ownership checks.

Expired leases are released when records are listed or accessed, so another session can reuse or take over the sandbox after the timeout. Existing leases are never shortened by renewal; renewal extends an active lease to at least now + configured timeout.

Dashboard monitoring can use observer access where appropriate. Read-only monitoring paths such as screenshot do not extend another session's lifetime, while mutating shell/action paths still go through explicit backend guards.

Idle and TTL Cleanup

The manager handles two cleanup dimensions:

• Idle timeout: temporary sandboxes without an active lease are cleaned up after their configured idle window.
• TTL timeout: sandboxes can be expired at a fixed time independent of idle activity.

Cleanup is resilient to provider failures:

• Destroy failures are retried with bounded attempts.
• Dead booters are removed instead of being retried forever.
• After max idle destroy attempts, the sandbox is marked error, the booter is retained for inspection, and idle cleanup state is cleared so the manager does not keep retrying forever.
• Destroy paths clean runtime memory state, pending tasks, boot locks, and registry state consistently.
• Startup cleanup removes stale temporary sandboxes and reconciles persistent records.

Active leases pause idle cleanup by rescheduling the idle deadline. Observer access that does not require a lease does not extend idle lifetime.

Agent Tooling

Core no longer injects one tool per sandbox action. Instead, it injects three grouped sandbox tools and documents their action parameters in the prompt. This keeps the tool surface smaller while preserving all management functionality.

Generic tools cover:

• Querying providers, current sandbox, and existing sandboxes.
• Creating, switching, releasing, renewing, changing retention, taking over, and destroying sandboxes.
• Capturing screenshots and copying files between sandboxes.

General computer tools such as shell, IPython, upload/download, and file operations remain separate. They act on the current sandbox when sandbox runtime is selected, but they are not sandbox management tools.

Provider-specific tools are marked as sandbox provider tools rather than ordinary plugin tools. They are shown in the dashboard as sandbox origin with provider-specific names and are read-only from generic plugin enable/disable controls.

Dashboard

This PR adds a sandbox management page and backend API support:

• Provider discovery and provider selection.
• Sandbox list with status, ownership, default marker, retention policy, capabilities, and tool names.
• Create, switch, release, takeover, destroy, set default, and retention updates.
• Screenshot and console actions for admin monitoring.
• Safer shell command handling and dangerous command confirmation.
• Localized UI strings for English, Chinese, and Russian.
• Dashboard tool table source labels for builtin, plugin, sandbox, MCP, and unknown tools.

The dashboard now loads sandbox providers dynamically rather than hardcoding core runtime-specific config/options.

Plugin Adapter Contract

Sandbox driver plugins should implement the provider layer instead of adding runtime code to core.

Required provider responsibilities:

• Provide a stable provider_id.
• Declare capabilities such as shell, python, filesystem, screenshot, mouse, or keyboard.
• Declare tool_names only for provider-specific tools contributed by the plugin.
• Implement build_create_config(context, session_id) for merging plugin config and user sandbox settings.
• Implement build_connect_info(sandbox_name, config) for persisted reconnect metadata.
• Implement create_booter(...) and destroy_booter(...).

Optional provider capabilities:

• plugin_config constructor input for plugin-level config.
• provider_api_version for future compatibility.
• system_prompt for provider-specific agent guidance.
• auto_sync_skills=False when the provider manages skill sync itself.
• supports_persistent_reconnect plus reconnect helpers for persistent sandbox restore.
• Lifecycle hooks such as on_sandbox_created and on_sandbox_destroyed.

Provider-specific tools should be registered through register_sandbox_provider(provider, tools=[...]) and marked with @sandbox_provider_tool(provider_id, config=...). Core handles registration, unregister, dashboard classification, and runtime cleanup. Plugins should not register provider-specific sandbox tools as ordinary builtin/core tools.

Migration Notes

Core now expects sandbox runtimes to be installed as plugins. Existing CUA, Shipyard, Shipyard Neo, and Boxlite runtime behavior should be supplied by their corresponding sandbox driver plugins.

Runtime-specific config keys were removed from core defaults and moved to plugin-owned config schemas. Core keeps only provider-agnostic sandbox settings such as selected provider, idle timeout, TTL, lease timeout, and default retention behavior.

For CUA specifically, screenshots should be provided through the generic astrbot_sandbox_operation capture_screenshot action. CUA provider-specific tools should only expose mouse/keyboard actions.

Verification

• uv run ruff check astrbot/core/computer/sandbox_manager.py tests/unit/test_sandbox_manager.py
• uv run pytest tests/unit/test_sandbox_manager.py -q -> 110 passed
• uv run ruff check tests/unit/test_astr_main_agent.py tests/test_sandbox_plugin_schema_contract.py
• uv run pytest tests/test_sandbox_plugin_schema_contract.py::test_cua_adapter_uses_core_screenshot_operation tests/unit/test_astr_main_agent.py::TestPluginToolFix::test_plugin_tool_fix_keeps_provider_specific_tools_in_sandbox_runtime tests/unit/test_astr_main_agent.py::TestPluginToolFix::test_plugin_tool_fix_hides_provider_specific_tools_outside_sandbox_runtime -q -> 3 passed
• uv run pytest data/plugins/astrbot_sandbox_cua/test_persistence.py -q -> 29 passed
• uv run pytest tests/unit/test_sandbox_tools_permissions.py tests/unit/test_sandbox_tool_consolidation.py tests/unit/test_astr_main_agent.py tests/unit/test_astr_agent_tool_exec.py tests/unit/test_tool_permission.py tests/unit/test_sandbox_tool_binding.py tests/test_dashboard.py tests/test_sandbox_frontend_contract.py tests/test_sandbox_plugin_schema_contract.py -q -> 292 passed, 1 warning
• pnpm build in dashboard completed successfully; existing MDI CSS warnings were present.

[sourcery-ai]

Sorry @zouyonghe, your pull request is larger than the review limit of 150000 diff characters

[gemini-code-assist]

Code Review

This pull request transitions the sandbox management system to a provider-based architecture, removing hardcoded implementations for Shipyard and CUA from the core. It introduces a SandboxManager, SandboxRegistry, and a SandboxProvider protocol to handle sandbox lifecycles, leases, and persistence generically. The dashboard is updated with new sandbox routes, and tool registration is refactored to be dynamically driven by providers. Review feedback highlights the need to restore provider-specific system prompts lost during extraction, improve resilience when sandboxes are busy, ensure compatibility with different booter implementations of the available check, and avoid blocking the event loop with synchronous file I/O in the registry.

[gemini-code-assist]

The generic sandbox tool mounting logic should also include provider-specific system prompt instructions if available. The extraction of runtimes removed important guidance (e.g., file path rules for Shipyard Neo or GUI instructions for CUA) that the LLM needs to use the tools effectively. The SandboxProvider protocol should be updated to provide these instructions. Please ensure this new functionality is accompanied by corresponding unit tests and that the logic for extracting provider info is shared to avoid duplication.

Suggested change

	provider_info = get_sandbox_provider_info(booter)
	if provider_info:
	for tool_name in provider_info.get("tool_names", []):
	tool = tool_mgr.get_func(tool_name)
	if tool and getattr(tool, "active", True):
	req.func_tool.add_tool(tool)
	provider_info = get_sandbox_provider_info(booter)
	if provider_info:
	if prompt := provider_info.get("system_prompt"):
	req.system_prompt = f"{req.system_prompt or ''}\n{prompt}\n"
	for tool_name in provider_info.get("tool_names", []):
	tool = tool_mgr.get_func(tool_name)
	if tool and getattr(tool, "active", True):
	req.func_tool.add_tool(tool)

References

1. When implementing similar functionality for different cases (e.g., direct vs. quoted attachments), refactor the logic into a shared helper function to avoid code duplication.
2. New functionality, such as handling attachments, should be accompanied by corresponding unit tests.

[gemini-code-assist]

Include the system_prompt from the provider in the info dictionary so it can be utilized by the agent during tool registration. Refactor the logic into a shared helper function to avoid code duplication. Also, ensure this new functionality is accompanied by unit tests.

Suggested change

	def _sandbox_provider_info(provider_id: str, provider: SandboxProvider) -> dict:
	return {
	"provider_id": provider_id,
	"capabilities": sorted(getattr(provider, "capabilities", set())),
	"tool_names": sorted(getattr(provider, "tool_names", set())),
	}
	def _sandbox_provider_info(provider_id: str, provider: SandboxProvider) -> dict:
	return {
	"provider_id": provider_id,
	"capabilities": sorted(getattr(provider, "capabilities", set())),
	"tool_names": sorted(getattr(provider, "tool_names", set())),
	"system_prompt": getattr(provider, "system_prompt", ""),
	}

References

1. When implementing similar functionality for different cases (e.g., direct vs. quoted attachments), refactor the logic into a shared helper function to avoid code duplication.
2. New functionality, such as handling attachments, should be accompanied by corresponding unit tests.

[gemini-code-assist]

The available attribute might be a property or a synchronous method in some implementations. It's safer to check if it's callable before awaiting it to avoid a TypeError.

        if callable(available):
            return await available()
        return bool(available)

[gemini-code-assist]

If the current sandbox is busy (e.g., taken over by another session), raising a RuntimeError here will cause the agent to fail. Instead of crashing, it would be more resilient to clear the current sandbox assignment for this session and fall through to the logic that finds the default sandbox or creates a new one.

Suggested change

	if not self.acquire_lease(current_sandbox_id, session_id):
	raise RuntimeError(f"Sandbox {current_sandbox_id} is busy")
	booter = self.session_booter[current_sandbox_id]
	if await self.booter_available(booter):
	self.registry.touch_sandbox(current_sandbox_id)
	self.save_registry()
	self.schedule_idle_cleanup(current_sandbox_id, idle_timeout)
	return booter
	self.session_booter.pop(current_sandbox_id, None)
	if self.acquire_lease(current_sandbox_id, session_id):
	booter = self.session_booter[current_sandbox_id]
	if await self.booter_available(booter):
	self.registry.touch_sandbox(current_sandbox_id)
	self.save_registry()
	self.schedule_idle_cleanup(current_sandbox_id, idle_timeout)
	return booter
	self.session_booter.pop(current_sandbox_id, None)
	else:
	self.registry.set_current_sandbox_id(session_id, None)
	self.save_registry()

[gemini-code-assist]

The SandboxProvider protocol should include a system_prompt field to allow runtimes to provide necessary instructions to the LLM (e.g., path conventions or specific tool usage workflows). New functionality should be accompanied by corresponding unit tests.

Suggested change

	class SandboxProvider(Protocol):
	provider_id: str
	capabilities: set[str]
	tool_names: set[str]
	class SandboxProvider(Protocol):
	provider_id: str
	capabilities: set[str]
	tool_names: set[str]
	system_prompt: str = ""

References

1. New functionality, such as handling attachments, should be accompanied by corresponding unit tests.

[gemini-code-assist]

Performing synchronous file I/O with write_text inside the event loop can block other coroutines, especially if the registry grows large. Consider using an executor or an asynchronous file library for persistence.

[zouyonghe]

Overall review

I reviewed this PR as a full sandbox-runtime architecture extraction rather than as an isolated file change. Although the diff is large, the implementation is structurally coherent and the risk appears relatively low.

Architecture

The PR moves concrete sandbox runtime implementations behind a provider abstraction and keeps core responsibilities focused on orchestration, registry state, lifecycle management, tool exposure, and dashboard integration. This is a good direction: runtime-specific behavior is no longer hard-coded into core, while the core still owns the common sandbox contract.

Lifecycle and state management

The sandbox manager/registry model is consistent with the new provider-based design. Creation, switching, leasing, takeover, cleanup, persistence, and runtime-state tracking are handled through centralized manager paths instead of being scattered across individual runtime implementations. This reduces coupling and should make future sandbox providers easier to add and maintain.

Dashboard and API surface

The dashboard changes follow the same abstraction boundary as the backend: providers are listed generically, sandboxes are managed through common records, and runtime operations are routed through the manager/provider contract. The UI/API additions are broad, but they are aligned with the new model rather than introducing a parallel control path.

Extensibility and compatibility

The provider registration model, sandbox tool binding, skill synchronization, and runtime selection changes fit together cleanly. The design gives provider plugins clear ownership of runtime-specific behavior while preserving a generic core interface for agents, tools, and the dashboard. That makes this PR a solid foundation for extracting and evolving sandbox drivers outside the core repository.

Verification

I ran the focused regression suite locally:

uv run pytest tests/unit/test_sandbox_manager.py tests/test_dashboard.py tests/unit/test_astr_main_agent.py tests/unit/test_astr_agent_tool_exec.py -q

Result:

300 passed, 1 warning

The covered areas include sandbox manager behavior, dashboard sandbox APIs, main agent runtime/tool wiring, and tool execution integration.

Risk assessment

The main risk is the size of the refactor, not a specific unresolved correctness issue. The new boundaries are clear, the provider abstraction is consistently applied, and the focused tests cover the most important integration points. Based on the code structure and regression results, I would classify this as a large but low-to-moderate risk architectural cleanup.

Recommendation

Looks good to merge. The PR is a significant internal restructuring, but it improves modularity and maintainability, and I did not find a blocking issue in the final reviewed state.