---
name: cto-sandbox-job
description: Sandcastle background job protocol for CTO. Use for broad, risky, long-running, AFK, or competitive branch attempts while WebUI remains the control plane.
metadata:
  version: 0.1.0
  hermes:
    requires_toolsets: [terminal_tools, file_tools]
  tier: T2
  status: active
  owner: jp
  source: hand
  last_reviewed: 2026-05-25
---

# CTO Sandbox Job

## Karpathy 4 Rules

1. **Think Before Coding** — state why direct coding is insufficient and define branch, scope, provider, and success criteria.
2. **Simplicity First** — use the existing `sandcastle` adapter path; do not build a parallel orchestrator.
3. **Surgical Changes** — writable scope must be explicit; no host-root or ambient environment forwarding.
4. **Goal-Driven Execution** — accept a job only after diff inspection, verification, and result classification.

## Required Job Contract

- `target_repo`, `base_ref`, unique `cto/<work-id>` branch.
- Sandbox provider: Docker or Podman by default.
- `noSandbox` and `branchStrategy: head` require JP approval.
- Prompt, log, raw events, branch, commits, diff, and verification output are artifacts.
- Ingest result as `accept`, `rerun`, `manual-review`, or `reject`.

## Safety Rules

- Snapshot and report dirty worktree state before launch.
- Do not pass ambient `.env` or credential stores into the sandbox.
- Hosted agent providers must be disclosed under `external_orchestrators`.
- Cancellation must preserve artifacts and mark the run cancelled.