feat: unut codesandbox integration

scripts/docker/entrypoint-allinone.sh

@@ -42,6 +42,17 @@ if [ -z "$STT_SERVICE" ]; then
     echo "✅ Using default STT_SERVICE: local/base"
 fi
 
+# ================================================
+# Microsandbox (optional secure sandbox server)
+# ================================================
+if [ "${MICROSANDBOX_ENABLED:-FALSE}" = "TRUE" ]; then
+    export MICROSANDBOX_AUTOSTART=true
+    echo "✅ Microsandbox enabled (requires --device /dev/kvm)"
+else
+    export MICROSANDBOX_AUTOSTART=false
+    echo "ℹ️  Microsandbox disabled (set MICROSANDBOX_ENABLED=TRUE to enable)"
+fi
+
 # ================================================
 # Set Electric SQL configuration
 # ================================================
@@ -232,6 +243,7 @@ echo "  Auth Type:       ${NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE}"
 echo "  ETL Service:     ${NEXT_PUBLIC_ETL_SERVICE}"
 echo "  TTS Service:     ${TTS_SERVICE}"
 echo "  STT Service:     ${STT_SERVICE}"
+echo "  Microsandbox:    ${MICROSANDBOX_ENABLED:-FALSE}"
 echo "==========================================="
 echo ""
 

scripts/docker/supervisor-allinone.conf

@@ -114,8 +114,23 @@ stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 environment=NODE_ENV="production",PORT="3000",HOSTNAME="0.0.0.0"
 
+# Microsandbox (secure code execution sandbox server)
+# Autostart is controlled by the entrypoint based on MICROSANDBOX_ENABLED env var.
+# Requires --device /dev/kvm and --privileged when running the container.
+[program:microsandbox]
+command=msb server start --dev
+autostart=%(ENV_MICROSANDBOX_AUTOSTART)s
+autorestart=true
+priority=25
+startsecs=5
+startretries=3
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
 # Process Groups
 [group:surfsense]
-programs=postgresql,redis,electric,backend,celery-worker,celery-beat,frontend
+programs=postgresql,redis,electric,backend,celery-worker,celery-beat,frontend,microsandbox
 priority=999