# Secure sandbox template
# Maximum isolation: no network, no mounts, read-only filesystem
[sandbox]
name = "secure"
base_image = "alpine:3.20"
[resources]
vcpus = 1
memory_mb = 256
[security]
profile = "restrictive"
network = false
[template]
description = "Maximum isolation: no network, read-only"
category = "Specialized"
help_text = """
How to use: Start the sandbox and run your workflow inside /workspace.
Example command: ls -la /workspace
Binaries available: sh, busybox
Services and ports: No service ports; networking is disabled by profile.
"""