Component · runner/

runner

The Phase-1 sandbox harness image — the code that runs on the dangerous side of the boundary. It executes the untrusted workload inside the gVisor pod, captures output, and emits the structured result.

Role in the architecture#

The runner is the container image the Kubernetes backend launches. Its Python and Node entrypoints execute the workload, capture stdout/stderr, and communicate structured signals back to the control plane through stdout sentinel lines (the pod's only channel out).

Source

runner/runner.py · runner/runner.js · runner/Dockerfile.

The enclave helper#

Both runtimes inject a global enclave object so the workload can return a structured result:

workload.pypython

# inside the sandbox, the runner injects a global `enclave`
enclave.result({ "answer": 285 })   # return structured JSON

import os
os.environ["ENCLAVE_SESSION_ID"]    # the session id the backend stamped in

The backend stamps each run with an ENCLAVE_SESSION_ID env var so the workload can identify its own session. No brokered secret is ever placed in the sandbox — service-binding secrets are injected at the egress proxy, and a private-repo git token stays on the clone init-container.

Sentinel protocol#

The runner emits machine-readable lines prefixed with __ENCLAVE__ on stdout. The backend parses them to record egress attempts and capture the structured result, separately from the workload's own printed output:

stdouttext

__ENCLAVE__ {"t":"egress","host":"169.254.169.254","ok":false}
__ENCLAVE__ {"t":"result","json":{"answer":285}}