feat(proto,sandbox): SandboxExecService + RemoteRunner client (infra-admin P3b PR7/12)

.golangci.yml

@@ -58,6 +58,12 @@ linters:
     paths:
       # Exclude third-party vendored Go code bundled under ui/node_modules from analysis entirely
       - ui/node_modules
+      # Exclude protobuf-generated files. protoc-gen-go emits unsafe.Slice/
+      # unsafe.StringData (gosec G103) and protoc-gen-go-grpc emits embedded
+      # ClientStream selectors (staticcheck QF1008); neither is actionable on
+      # generated code, and gosec ignores the golangci `generated:` setting.
+      # The single \.pb\.go$ entry also covers *_grpc.pb.go.
+      - \.pb\.go$
     presets:
       - std-error-handling
 

plugin/external/proto/sandbox_exec.proto

@@ -0,0 +1,57 @@
+// sandbox_exec.proto — typed gRPC contract for remote sandbox execution.
+//
+// Design: docs/decisions/0019-remote-sandbox-agent.md (ADR 0019)
+// Plan:   docs/plans/infra-p3b-proto-client (Task 13)
+//
+// Hard invariants:
+//   - NO loose Struct/Any wrapper types.
+//   - Free-form payloads (env values, stdout/stderr bytes) are typed.
+//   - env VALUES may carry unresolved secret:// refs — the agent resolves them.
+//     The client MUST NOT resolve secret:// refs; pass them through verbatim.
+//   - profile is the requested security profile; the agent clamps it server-side.
+syntax = "proto3";
+
+package workflow.plugin.external.sandbox;
+
+option go_package = "github.com/GoCodeAlone/workflow/plugin/external/proto;proto";
+
+// SandboxExecService is served by the remote sandbox agent (engine → agent).
+// Callers open a streaming Exec RPC; the server streams back stdout/stderr
+// chunks followed by a terminal exit_code chunk.
+service SandboxExecService {
+  rpc Exec(SandboxExecRequest) returns (stream SandboxExecChunk);
+}
+
+// SandboxExecRequest describes a single command execution in the remote sandbox.
+// env VALUES may be unresolved secret:// refs — the remote agent resolves them
+// before launching the command (ADR 0017). The client passes them verbatim.
+// profile is the requested security profile; the agent clamps it to its
+// configured maximum-allowed profile (PR8).
+message SandboxExecRequest {
+  // profile is the requested sandbox security profile (e.g. "default", "strict").
+  string profile = 1;
+  // image is the OCI image reference to run the command in.
+  string image = 2;
+  // command is the argv-style command to execute inside the sandbox.
+  repeated string command = 3;
+  // env carries the process environment. Values may be unresolved secret://
+  // references; the agent resolves them before exec (ADR 0017).
+  map<string, string> env = 4;
+  // workdir is the working directory inside the container. Empty = image default.
+  string workdir = 5;
+}
+
+// SandboxExecChunk is one streamed unit of command output. The server sends
+// zero or more stdout/stderr chunks followed by exactly one exit_code chunk
+// which terminates the stream.
+message SandboxExecChunk {
+  oneof chunk {
+    // stdout carries a raw bytes fragment of the process stdout.
+    bytes stdout = 1;
+    // stderr carries a raw bytes fragment of the process stderr.
+    bytes stderr = 2;
+    // exit_code is the terminal chunk; signals the command has finished.
+    // The client MUST treat the first exit_code chunk as stream end.
+    int32 exit_code = 3;
+  }
+}