spike: scaffold Cloudflare Sandbox execution tier

Author: StackMemory Bot (CLI)

docs/specs/CLOUDFLARE_SANDBOX_P3.md

@@ -0,0 +1,159 @@
+# P3 Spike: Cloudflare Sandbox as L3 Remote Execution Tier
+
+## Scope
+
+This spike answers one question:
+
+**Can Cloudflare Sandboxes serve as a viable `L3` remote execution tier for StackMemory agents?**
+
+For this spike, `L3` means:
+- remote, isolated, browser-addressable execution
+- persistent enough to survive idle cycles via mounted storage or backups
+- suitable for repo-oriented agent work
+
+It does **not** mean:
+- replacing Postgres/SQLite as StackMemory's primary metadata database
+- replacing the hosted memory runtime
+
+## Why this is worth testing now
+
+Cloudflare's current platform shape materially changed:
+- Sandboxes are now generally available.
+- The SDK exposes commands, files, PTY terminals, Git workflows, file watching, mounted buckets, and backup/restore.
+- The platform is explicitly targeted at agentic workloads, CI/CD, and interactive development environments.
+
+That changes the answer from "interesting maybe later" to "build a real spike now".
+
+## Hypothesis
+
+Cloudflare Sandboxes are viable for StackMemory if all of the following are true:
+
+1. We can map one sandbox ID to one project/session cleanly.
+2. Browser terminal UX is good enough through WebSockets.
+3. Repo bootstrap plus restore beats repeated cold setup.
+4. Mounted storage and backups are good enough for persistence.
+5. Control-plane logic can stay in Workers without leaking secrets into the sandbox.
+
+## What the spike package implements
+
+See `packages/cloudflare-sandbox-spike/`.
+
+It provides:
+- Worker entrypoint
+- Sandbox binding
+- container image
+- websocket terminal route
+- Git checkout bootstrap route
+- command execution route
+- file read/write routes
+- mounted R2 route
+- backup/restore routes
+
+This is enough to validate the platform shape without dragging in full StackMemory runtime complexity.
+
+## Viability criteria
+
+The spike is a `GO` if we can demonstrate:
+
+1. **Bootstrapping**
+   - clone a repo into `/workspace/repo`
+   - run install/test/build commands
+
+2. **Interactive work**
+   - connect browser terminal over websocket
+   - keep shell state in a session
+
+3. **Persistence**
+   - mount an R2 bucket into the sandbox filesystem
+   - persist files across sandbox destruction
+   - create and restore a workspace backup
+
+4. **Security model**
+   - control secrets from the Worker side
+   - avoid embedding live credentials directly into user-controlled code
+
+5. **Operational clarity**
+   - one sandbox ID maps cleanly to project/session identity
+   - cleanup lifecycle is explicit
+   - failure modes are understandable
+
+## Non-goals
+
+- Multi-tenant billing
+- full StackMemory API integration
+- hosted retrieval/indexing layer
+- production authn/authz
+- scheduler and queue integration
+- fleet management
+
+## Current platform reading
+
+### What looks strong
+
+Cloudflare now has the pieces we actually need:
+- Sandboxes are GA and explicitly positioned for untrusted code execution and agent workflows.
+- Sandbox instances are Durable Objects under the hood, which gives a natural coordination identity.
+- Git operations are first-class.
+- PTY terminals are first-class.
+- Mounted S3-compatible buckets are first-class.
+- Backup/restore is first-class and specifically designed to avoid repeating clone/install/setup costs.
+
+### What still looks limiting
+
+- Sandbox containers are still ephemeral unless you add mounted storage or backups.
+- Backup/restore is production-only right now, not `wrangler dev`.
+- Preview URLs need custom domain setup; `.workers.dev` is not enough for exposed-port workflows.
+- This is an execution platform, not a relational memory/query platform.
+
+## Recommended production shape if this spike passes
+
+### Keep
+- StackMemory hosted runtime for:
+  - projects
+  - runs
+  - frames
+  - anchors
+  - retrieval
+  - search
+  - orchestration
+
+### Add
+- Cloudflare Sandbox as:
+  - per-project execution runtime
+  - browser terminal endpoint
+  - disposable worker session host
+
+### Store
+- R2 for:
+  - mounted project persistence
+  - backup archives
+  - large artifacts and logs
+
+### Coordinate
+- Durable Objects for:
+  - sandbox identity
+  - session-to-sandbox routing
+  - short-lived coordination state
+
+## Recommended production shape if this spike fails
+
+If terminal UX, bootstrap/restore latency, or operational complexity are poor, do not force it.
+
+Fallback:
+- keep execution local or VM-based
+- use Cloudflare only for edge API/control-plane pieces
+- do not contort StackMemory around a weak remote execution substrate
+
+## First decision after the spike
+
+At the end of P3, we should be able to say one of these clearly:
+
+1. **GO**: Cloudflare Sandbox is good enough for a real remote execution track.
+2. **PARTIAL GO**: good for ephemeral code execution, not good enough for long-lived interactive project sessions.
+3. **NO GO**: useful technology, wrong fit for StackMemory's execution model.
+
+## Deliverables
+
+- `packages/cloudflare-sandbox-spike/`
+- this decision note
+- a short benchmark/result note after hands-on validation

packages/cloudflare-sandbox-spike/.dev.vars.example

@@ -0,0 +1,5 @@
+R2_ENDPOINT=https://YOUR_ACCOUNT_ID.r2.cloudflarestorage.com
+AWS_ACCESS_KEY_ID=replace-me
+AWS_SECRET_ACCESS_KEY=replace-me
+CLOUDFLARE_ACCOUNT_ID=replace-me
+BACKUP_BUCKET_NAME=stackmemory-spike-backups

packages/cloudflare-sandbox-spike/Dockerfile

@@ -0,0 +1,12 @@
+FROM docker.io/cloudflare/sandbox:0.7.0-python
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    jq \
+    ripgrep \
+    sqlite3 \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN npm install -g pnpm@10
+
+WORKDIR /workspace

packages/cloudflare-sandbox-spike/README.md

@@ -0,0 +1,121 @@
+# Cloudflare Sandbox Spike
+
+P3 spike for proving whether Cloudflare Sandboxes are a viable remote execution tier for StackMemory.
+
+This package is intentionally narrow:
+- Worker + Sandbox SDK scaffold
+- terminal/websocket path
+- command execution
+- file read/write
+- Git checkout
+- R2-backed persistence hooks
+- backup/restore hooks
+
+It is not production-ready orchestration. The point is to validate platform fit.
+
+## Why this spike exists
+
+For StackMemory, the hard question is not "can Cloudflare run code?".
+It is:
+
+1. Can it host an isolated, project-scoped agent runtime?
+2. Can it preserve enough state to avoid cold-starting every session?
+3. Can it support browser terminals and repo workflows cleanly?
+4. Are the limits predictable enough to become a real `L3` remote execution layer?
+
+Cloudflare's current Sandbox SDK is the first platform shape that makes this plausible without building a custom container control plane ourselves.
+
+## What this spike proves
+
+The scaffold demonstrates:
+
+- `POST /v1/sandboxes/:id/bootstrap`
+  - optionally mounts persistent storage
+  - optionally clones a repo into `/workspace/repo`
+- `POST /v1/sandboxes/:id/exec`
+  - runs commands in the sandbox
+- `GET /v1/sandboxes/:id/files?path=...`
+- `PUT /v1/sandboxes/:id/files?path=...`
+- `GET /v1/sandboxes/:id/ls?path=...`
+- `POST /v1/sandboxes/:id/mount`
+  - mounts project storage into the sandbox
+- `POST /v1/sandboxes/:id/backup`
+- `POST /v1/sandboxes/:id/restore`
+- `POST /v1/sandboxes/:id/destroy`
+- `GET /health`
+- `GET/WS /v1/sandboxes/:id/terminal`
+  - browser terminal passthrough to the sandbox PTY
+
+## Local development
+
+Prereqs:
+- Docker running locally
+- Cloudflare account
+- Node.js
+
+Install:
+
+```bash
+cd packages/cloudflare-sandbox-spike
+npm install
+```
+
+Start locally:
+
+```bash
+npm run dev
+```
+
+Smoke test:
+
+```bash
+curl http://localhost:8787/health
+
+curl -X POST http://localhost:8787/v1/sandboxes/demo/bootstrap \
+  -H 'content-type: application/json' \
+  -d '{"repoUrl":"https://github.com/stackmemoryai/stackmemory.git","depth":1,"mountProjectData":true,"localBucket":true}'
+
+curl -X POST http://localhost:8787/v1/sandboxes/demo/exec \
+  -H 'content-type: application/json' \
+  -d '{"command":"bash","args":["-lc","cd /workspace/repo && git status --short"]}'
+```
+
+## Production-only caveat
+
+`backup` / `restore` do not work under `wrangler dev` because the current backup implementation requires FUSE support. Use deployed Workers for that part of the spike.
+
+## Required config
+
+`wrangler.jsonc` already includes:
+- `containers`
+- `durable_objects`
+- `migrations`
+- `PROJECT_DATA` R2 binding
+- `BACKUP_BUCKET` R2 binding
+
+For remote R2 bucket mounting and backup flows, populate secrets/envs similar to `.dev.vars.example`.
+
+## Suggested evaluation sequence
+
+1. `health`
+2. `bootstrap`
+3. `exec`
+4. websocket terminal
+5. `mount`
+6. write/read through mounted storage
+7. `backup`
+8. destroy sandbox
+9. restore backup
+10. re-run command in restored repo
+
+## Current recommendation
+
+If this spike works end-to-end, the likely production shape is:
+
+- Workers = control plane / auth / API
+- Sandbox = per-project or per-session execution runtime
+- Durable Object = instance identity and state coordination
+- R2 = mounted project persistence + backups + artifacts
+- StackMemory hosted runtime = metadata, indexing, retrieval, event routing
+
+This should be treated as a remote execution tier, not as a replacement for StackMemory's hosted relational memory store.