# microsandbox - Doramagic AI Context Pack

> 定位：安装前体验与判断资产。它帮助宿主 AI 有一个好的开始，但不代表已经安装、执行或验证目标项目。

## 充分原则

- **充分原则，不是压缩原则**：AI Context Pack 应该充分到让宿主 AI 在开工前理解项目价值、能力边界、使用入口、风险和证据来源；它可以分层组织，但不以最短摘要为目标。
- **压缩策略**：只压缩噪声和重复内容，不压缩会影响判断和开工质量的上下文。

## 给宿主 AI 的使用方式

你正在读取 Doramagic 为 microsandbox 编译的 AI Context Pack。请把它当作开工前上下文：帮助用户理解适合谁、能做什么、如何开始、哪些必须安装后验证、风险在哪里。不要声称你已经安装、运行或执行了目标项目。

## Claim 消费规则

- **事实来源**：Repo Evidence + Claim/Evidence Graph；Human Wiki 只提供显著性、术语和叙事结构。
- **事实最低状态**：`supported`
- `supported`：可以作为项目事实使用，但回答中必须引用 claim_id 和证据路径。
- `weak`：只能作为低置信度线索，必须要求用户继续核实。
- `inferred`：只能用于风险提示或待确认问题，不能包装成项目事实。
- `unverified`：不得作为事实使用，应明确说证据不足。
- `contradicted`：必须展示冲突来源，不得替用户强行选择一个版本。

## 它最适合谁

- **正在使用 Claude/Codex/Cursor/Gemini 等宿主 AI 的开发者**：README 或插件配置提到多个宿主 AI。 证据：`README.md` Claim：`clm_0002` supported 0.86

## 它能做什么

- **命令行启动或安装流程**（需要安装后验证）：项目文档中存在可执行命令，真实使用需要在本地或宿主环境中运行这些命令。 证据：`DEVELOPMENT.md`, `agent-client/typescript/README.md`, `scripts/install.sh`, `scripts/smoke/cli/pre05-running-sandbox-compat.sh` 等 Claim：`clm_0001` supported 0.86

## 怎么开始

- `git clone https://github.com/microsandbox/microsandbox.git` 证据：`DEVELOPMENT.md` Claim：`clm_0003` unverified 0.25
- `npm install @microsandbox/agent-client` 证据：`agent-client/typescript/README.md` Claim：`clm_0004` supported 0.86
- `npm install microsandbox` 证据：`sdk/node-ts/README.md` Claim：`clm_0004` supported 0.86, `clm_0005` supported 0.86
- `pip install microsandbox` 证据：`sdk/python/README.md` Claim：`clm_0006` supported 0.86
- `curl -fsSL "$url" -o "$dest"` 证据：`scripts/smoke/cli/pre05-running-sandbox-compat.sh` Claim：`clm_0007` unverified 0.25
- `curl -fsSL "$_url" -o "$_dest" || error "Failed to download $_url"` 证据：`scripts/install.sh` Claim：`clm_0008` unverified 0.25
- `curl -fsSL "$_url" -o "$_tmp" 2>/dev/null &` 证据：`scripts/install.sh` Claim：`clm_0009` unverified 0.25

## 继续前判断卡

- **当前建议**：仅建议沙盒试装
- **为什么**：项目存在安装命令、宿主配置或本地写入线索，不建议直接进入主力环境，应先在隔离环境试装。

### 30 秒判断

- **现在怎么做**：仅建议沙盒试装
- **最小安全下一步**：先跑 Prompt Preview；若仍要安装，只在隔离环境试装
- **先别相信**：真实输出质量不能在安装前相信。
- **继续会触碰**：命令执行、宿主 AI 配置、本地环境或项目文件

### 现在可以相信

- **适合人群线索：正在使用 Claude/Codex/Cursor/Gemini 等宿主 AI 的开发者**（supported）：有 supported claim 或项目证据支撑，但仍不等于真实安装效果。 证据：`README.md` Claim：`clm_0002` supported 0.86
- **能力存在：命令行启动或安装流程**（supported）：可以相信项目包含这类能力线索；是否适合你的具体任务仍要试用或安装后验证。 证据：`DEVELOPMENT.md`, `agent-client/typescript/README.md`, `scripts/install.sh`, `scripts/smoke/cli/pre05-running-sandbox-compat.sh` 等 Claim：`clm_0001` supported 0.86
- **存在 Quick Start / 安装命令线索**（supported）：可以相信项目文档出现过启动或安装入口；不要因此直接在主力环境运行。 证据：`agent-client/typescript/README.md` Claim：`clm_0004` supported 0.86

### 现在还不能相信

- **真实输出质量不能在安装前相信。**（unverified）：Prompt Preview 只能展示引导方式，不能证明真实项目中的结果质量。
- **宿主 AI 版本兼容性不能在安装前相信。**（unverified）：Claude、Cursor、Codex、Gemini 等宿主加载规则和版本差异必须在真实环境验证。
- **不会污染现有宿主 AI 行为，不能直接相信。**（inferred）：Skill、plugin、AGENTS/CLAUDE/GEMINI 指令可能改变宿主 AI 的默认行为。 证据：`AGENTS.md`
- **可安全回滚不能默认相信。**（unverified）：除非项目明确提供卸载和恢复说明，否则必须先在隔离环境验证。
- **真实安装后是否与用户当前宿主 AI 版本兼容？**（unverified）：兼容性只能通过实际宿主环境验证。
- **项目输出质量是否满足用户具体任务？**（unverified）：安装前预览只能展示流程和边界，不能替代真实评测。
- **安装命令是否需要网络、权限或全局写入？**（unverified）：这影响企业环境和个人环境的安装风险。 证据：`DEVELOPMENT.md`

### 继续会触碰什么

- **命令执行**：包管理器、网络下载、本地插件目录、项目配置或用户主目录。 原因：运行第一条命令就可能产生环境改动；必须先判断是否值得跑。 证据：`DEVELOPMENT.md`, `agent-client/typescript/README.md`, `scripts/install.sh`, `scripts/smoke/cli/pre05-running-sandbox-compat.sh` 等
- **宿主 AI 配置**：Claude/Codex/Cursor/Gemini/OpenCode 等宿主的 plugin、Skill 或规则加载配置。 原因：宿主配置会改变 AI 后续工作方式，可能和用户已有规则冲突。 证据：`AGENTS.md`
- **本地环境或项目文件**：安装结果、插件缓存、项目配置或本地依赖目录。 原因：安装前无法证明写入范围和回滚方式，需要隔离验证。 证据：`DEVELOPMENT.md`, `agent-client/typescript/README.md`, `scripts/install.sh`, `scripts/smoke/cli/pre05-running-sandbox-compat.sh` 等
- **宿主 AI 上下文**：AI Context Pack、Prompt Preview、Skill 路由、风险规则和项目事实。 原因：导入上下文会影响宿主 AI 后续判断，必须避免把未验证项包装成事实。

### 最小安全下一步

- **先跑 Prompt Preview**：用安装前交互式试用判断工作方式是否匹配，不需要授权或改环境。（适用：任何项目都适用，尤其是输出质量未知时。）
- **只在隔离目录或测试账号试装**：避免安装命令污染主力宿主 AI、真实项目或用户主目录。（适用：存在命令执行、插件配置或本地写入线索时。）
- **先备份宿主 AI 配置**：Skill、plugin、规则文件可能改变 Claude/Cursor/Codex 的默认行为。（适用：存在插件 manifest、Skill 或宿主规则入口时。）
- **安装后只验证一个最小任务**：先验证加载、兼容、输出质量和回滚，再决定是否深用。（适用：准备从试用进入真实工作流时。）

### 退出方式

- **保留安装前状态**：记录原始宿主配置和项目状态，后续才能判断是否可恢复。
- **准备移除宿主 plugin / Skill / 规则入口**：如果试装后行为异常，可以把宿主 AI 恢复到试装前状态。
- **记录安装命令和写入路径**：没有明确卸载说明时，至少要知道哪些目录或配置需要手动清理。
- **如果没有回滚路径，不进入主力环境**：不可回滚是继续前阻断项，不应靠信任或运气继续。

## 哪些只能预览

- 解释项目适合谁和能做什么
- 基于项目文档演示典型对话流程
- 帮助用户判断是否值得安装或继续研究

## 哪些必须安装后验证

- 真实安装 Skill、插件或 CLI
- 执行脚本、修改本地文件或访问外部服务
- 验证真实输出质量、性能和兼容性

## 边界与风险判断卡

- **把安装前预览误认为真实运行**：用户可能高估项目已经完成的配置、权限和兼容性验证。 处理方式：明确区分 prompt_preview_can_do 与 runtime_required。 Claim：`clm_0010` inferred 0.45
- **命令执行会修改本地环境**：安装命令可能写入用户主目录、宿主插件目录或项目配置。 处理方式：先在隔离环境或测试账号中运行。 证据：`DEVELOPMENT.md`, `agent-client/typescript/README.md`, `scripts/install.sh`, `scripts/smoke/cli/pre05-running-sandbox-compat.sh` 等 Claim：`clm_0011` supported 0.86
- **待确认**：真实安装后是否与用户当前宿主 AI 版本兼容？。原因：兼容性只能通过实际宿主环境验证。
- **待确认**：项目输出质量是否满足用户具体任务？。原因：安装前预览只能展示流程和边界，不能替代真实评测。
- **待确认**：安装命令是否需要网络、权限或全局写入？。原因：这影响企业环境和个人环境的安装风险。

## 开工前工作上下文

### 加载顺序

- 先读取 how_to_use.host_ai_instruction，建立安装前判断资产的边界。
- 读取 claim_graph_summary，确认事实来自 Claim/Evidence Graph，而不是 Human Wiki 叙事。
- 再读取 intended_users、capabilities 和 quick_start_candidates，判断用户是否匹配。
- 需要执行具体任务时，优先查 role_skill_index，再查 evidence_index。
- 遇到真实安装、文件修改、网络访问、性能或兼容性问题时，转入 risk_card 和 boundaries.runtime_required。

### 任务路由

- **命令行启动或安装流程**：先说明这是安装后验证能力，再给出安装前检查清单。 边界：必须真实安装或运行后验证。 证据：`DEVELOPMENT.md`, `agent-client/typescript/README.md`, `scripts/install.sh`, `scripts/smoke/cli/pre05-running-sandbox-compat.sh` 等 Claim：`clm_0001` supported 0.86

### 上下文规模

- 文件总数：661
- 重要文件覆盖：40/661
- 证据索引条目：80
- 角色 / Skill 条目：13

### 证据不足时的处理

- **missing_evidence**：说明证据不足，要求用户提供目标文件、README 段落或安装后验证记录；不要补全事实。
- **out_of_scope_request**：说明该任务超出当前 AI Context Pack 证据范围，并建议用户先查看 Human Manual 或真实安装后验证。
- **runtime_request**：给出安装前检查清单和命令来源，但不要替用户执行命令或声称已执行。
- **source_conflict**：同时展示冲突来源，标记为待核实，不要强行选择一个版本。

## Prompt Recipes

### 适配判断

- 目标：判断这个项目是否适合用户当前任务。
- 预期输出：适配结论、关键理由、证据引用、安装前可预览内容、必须安装后验证内容、下一步建议。

```text
请基于 microsandbox 的 AI Context Pack，先问我 3 个必要问题，然后判断它是否适合我的任务。回答必须包含：适合谁、能做什么、不能做什么、是否值得安装、证据来自哪里。所有项目事实必须引用 evidence_refs、source_paths 或 claim_id。
```

### 安装前体验

- 目标：让用户在安装前感受核心工作流，同时避免把预览包装成真实能力或营销承诺。
- 预期输出：一段带边界标签的体验剧本、安装后验证清单和谨慎建议；不含真实运行承诺或强营销表述。

```text
请把 microsandbox 当作安装前体验资产，而不是已安装工具或真实运行环境。

请严格输出四段：
1. 先问我 3 个必要问题。
2. 给出一段“体验剧本”：用 [安装前可预览]、[必须安装后验证]、[证据不足] 三种标签展示它可能如何引导工作流。
3. 给出安装后验证清单：列出哪些能力只有真实安装、真实宿主加载、真实项目运行后才能确认。
4. 给出谨慎建议：只能说“值得继续研究/试装”“先补充信息后再判断”或“不建议继续”，不得替项目背书。

硬性边界：
- 不要声称已经安装、运行、执行测试、修改文件或产生真实结果。
- 不要写“自动适配”“确保通过”“完美适配”“强烈建议安装”等承诺性表达。
- 如果描述安装后的工作方式，必须使用“如果安装成功且宿主正确加载 Skill，它可能会……”这种条件句。
- 体验剧本只能写成“示例台词/假设流程”：使用“可能会询问/可能会建议/可能会展示”，不要写“已写入、已生成、已通过、正在运行、正在生成”。
- Prompt Preview 不负责给安装命令；如用户准备试装，只能提示先阅读 Quick Start 和 Risk Card，并在隔离环境验证。
- 所有项目事实必须来自 supported claim、evidence_refs 或 source_paths；inferred/unverified 只能作风险或待确认项。

```

### 角色 / Skill 选择

- 目标：从项目里的角色或 Skill 中挑选最匹配的资产。
- 预期输出：候选角色或 Skill 列表，每项包含适用场景、证据路径、风险边界和是否需要安装后验证。

```text
请读取 role_skill_index，根据我的目标任务推荐 3-5 个最相关的角色或 Skill。每个推荐都要说明适用场景、可能输出、风险边界和 evidence_refs。
```

### 风险预检

- 目标：安装或引入前识别环境、权限、规则冲突和质量风险。
- 预期输出：环境、权限、依赖、许可、宿主冲突、质量风险和未知项的检查清单。

```text
请基于 risk_card、boundaries 和 quick_start_candidates，给我一份安装前风险预检清单。不要替我执行命令，只说明我应该检查什么、为什么检查、失败会有什么影响。
```

### 宿主 AI 开工指令

- 目标：把项目上下文转成一次对话开始前的宿主 AI 指令。
- 预期输出：一段边界明确、证据引用明确、适合复制给宿主 AI 的开工前指令。

```text
请基于 microsandbox 的 AI Context Pack，生成一段我可以粘贴给宿主 AI 的开工前指令。这段指令必须遵守 not_runtime=true，不能声称项目已经安装、运行或产生真实结果。
```

## 角色 / Skill 索引

- 共索引 13 个角色 / Skill / 项目文档条目。

- **Readme**（project_doc）：——&nbsp;&nbsp;&nbsp;easy, fast, local microVMs for untrusted workloads&nbsp;&nbsp;&nbsp;—— 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`README.md`
- **microsandbox agent client**（project_doc）：Transport-agnostic clients for speaking the microsandbox agent protocol. 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`agent-client/README.md`
- **microsandbox-agent-client**（project_doc）：Low-level Rust client for speaking the microsandbox agent protocol. 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`agent-client/rust/README.md`
- **@microsandbox/agent-client**（project_doc）：Low-level TypeScript client for speaking the microsandbox agent protocol from Node.js or browser/front-end runtimes. 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`agent-client/typescript/README.md`
- **microsandbox-filesystem**（project_doc）：Filesystem backends for microsandbox https://github.com/superradcompany/microsandbox virtual machines. This crate now exposes the three backends the runtime still uses: PassthroughFs , MemFs , and DualFs . 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`crates/filesystem/README.md`
- **microsandbox-image**（project_doc）：Pull OCI container images and cache ready-to-mount filesystem artifacts locally. This crate handles the full image lifecycle for microsandbox https://github.com/superradcompany/microsandbox — from resolving a multi-platform manifest to producing per-layer EROFS images, fsmeta, and the VMDK descriptor used by the VM. 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`crates/image/README.md`
- **microsandbox**（project_doc）：Lightweight VM sandboxes for running AI agents and untrusted code with hardware-level isolation. 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`crates/microsandbox/README.md`
- **microsandbox**（project_doc）：Lightweight VM sandboxes for Go — run AI agents and untrusted code with hardware-level isolation. 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`sdk/go/README.md`
- **Go Examples**（project_doc）：Example Description --------- ------------- basic Create a sandbox, run commands, use filesystem and metrics detached Detached lifecycle, reattach, stop, and remove disk Build and mount a raw ext4 disk image errors Typed error handling with IsKind and errors.As filesystem Filesystem read/write/list/stat/copy/streaming operations image-cache List, get, inspect, and garbage-collect cached OCI images metrics Point-in-t… 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`sdk/go/examples/README.md`
- **microsandbox**（project_doc）：Lightweight VM sandboxes for Node.js — run AI agents and untrusted code with hardware-level isolation. 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`sdk/node-ts/README.md`
- **microsandbox**（project_doc）：Lightweight VM sandboxes for Python — run AI agents and untrusted code with hardware-level isolation. 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`sdk/python/README.md`
- **AGENTS.md**（project_doc）：These instructions are only for agents contributing changes to this repository. Do not apply them to other repositories or to general agent behavior outside this contribution workflow. 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`AGENTS.md`
- **Contributing to Microsandbox**（project_doc）：Hello there! Whether you're a seasoned developer or just getting started, we're thrilled that you're interested in contributing to Microsandbox. This community thrives because of people like you! 激活提示：当用户需要理解项目结构、安装方式或边界时参考。 证据：`CONTRIBUTING.md`

## 证据索引

- 共索引 80 条证据。

- **Readme**（documentation）：——&nbsp;&nbsp;&nbsp;easy, fast, local microVMs for untrusted workloads&nbsp;&nbsp;&nbsp;—— 证据：`README.md`
- **microsandbox agent client**（documentation）：Transport-agnostic clients for speaking the microsandbox agent protocol. 证据：`agent-client/README.md`
- **microsandbox-agent-client**（documentation）：Low-level Rust client for speaking the microsandbox agent protocol. 证据：`agent-client/rust/README.md`
- **@microsandbox/agent-client**（documentation）：Low-level TypeScript client for speaking the microsandbox agent protocol from Node.js or browser/front-end runtimes. 证据：`agent-client/typescript/README.md`
- **microsandbox-filesystem**（documentation）：Filesystem backends for microsandbox https://github.com/superradcompany/microsandbox virtual machines. This crate now exposes the three backends the runtime still uses: PassthroughFs , MemFs , and DualFs . 证据：`crates/filesystem/README.md`
- **microsandbox-image**（documentation）：Pull OCI container images and cache ready-to-mount filesystem artifacts locally. This crate handles the full image lifecycle for microsandbox https://github.com/superradcompany/microsandbox — from resolving a multi-platform manifest to producing per-layer EROFS images, fsmeta, and the VMDK descriptor used by the VM. 证据：`crates/image/README.md`
- **microsandbox**（documentation）：Lightweight VM sandboxes for running AI agents and untrusted code with hardware-level isolation. 证据：`crates/microsandbox/README.md`
- **microsandbox**（documentation）：Lightweight VM sandboxes for Go — run AI agents and untrusted code with hardware-level isolation. 证据：`sdk/go/README.md`
- **Go Examples**（documentation）：Example Description --------- ------------- basic Create a sandbox, run commands, use filesystem and metrics detached Detached lifecycle, reattach, stop, and remove disk Build and mount a raw ext4 disk image errors Typed error handling with IsKind and errors.As filesystem Filesystem read/write/list/stat/copy/streaming operations image-cache List, get, inspect, and garbage-collect cached OCI images metrics Point-in-time and streaming metrics network Presets, DNS, TLS, and custom network settings patches Pre-boot rootfs patches ports Publish guest TCP ports on host ports secrets Secret placeholder injection snapshot-fork Create a stopped-sandbox snapshot and boot a fork from it streaming Stre… 证据：`sdk/go/examples/README.md`
- **microsandbox**（documentation）：Lightweight VM sandboxes for Node.js — run AI agents and untrusted code with hardware-level isolation. 证据：`sdk/node-ts/README.md`
- **microsandbox**（documentation）：Lightweight VM sandboxes for Python — run AI agents and untrusted code with hardware-level isolation. 证据：`sdk/python/README.md`
- **Package**（package_manifest）：{ "name": "@microsandbox/agent-client", "version": "0.5.6", "type": "module", "license": "Apache-2.0", "engines": { "node": " = 22" }, "exports": { ".": { "types": "./dist/index.d.ts", "import": "./dist/index.js" }, "./node": { "types": "./dist/node.d.ts", "import": "./dist/node.js" }, "./transports/websocket": { "types": "./dist/transports/websocket.d.ts", "import": "./dist/transports/websocket.js" }, "./stream": { "types": "./dist/stream.d.ts", "import": "./dist/stream.js" }, "./message": { "types": "./dist/message.d.ts", "import": "./dist/message.js" }, "./frame": { "types": "./dist/frame.d.ts", "import": "./dist/frame.js" }, "./packet": { "types": "./dist/packet.d.ts", "import": "./dist… 证据：`agent-client/typescript/package.json`
- **Package**（package_manifest）：{ "name": "@superradcompany/microsandbox-darwin-arm64", "version": "0.5.6", "description": "Bundled msb + libkrunfw + napi binding for microsandbox on macOS arm64.", "os": "darwin" , "cpu": "arm64" , "main": "microsandbox.darwin-arm64.node", "files": "microsandbox.darwin-arm64.node", "bin/msb", "lib/libkrunfw. .dylib" , "license": "Apache-2.0", "engines": { "node": " = 22" } } 证据：`sdk/node-ts/npm/darwin-arm64/package.json`
- **Package**（package_manifest）：{ "name": "@superradcompany/microsandbox-linux-arm64-gnu", "version": "0.5.6", "description": "Bundled msb + libkrunfw + napi binding for microsandbox on Linux arm64 glibc .", "os": "linux" , "cpu": "arm64" , "libc": "glibc" , "main": "microsandbox.linux-arm64-gnu.node", "files": "microsandbox.linux-arm64-gnu.node", "bin/msb", "lib/libkrunfw.so. " , "license": "Apache-2.0", "engines": { "node": " = 22" } } 证据：`sdk/node-ts/npm/linux-arm64-gnu/package.json`
- **Package**（package_manifest）：{ "name": "@superradcompany/microsandbox-linux-x64-gnu", "version": "0.5.6", "description": "Bundled msb + libkrunfw + napi binding for microsandbox on Linux x86 64 glibc .", "os": "linux" , "cpu": "x64" , "libc": "glibc" , "main": "microsandbox.linux-x64-gnu.node", "files": "microsandbox.linux-x64-gnu.node", "bin/msb", "lib/libkrunfw.so. " , "license": "Apache-2.0", "engines": { "node": " = 22" } } 证据：`sdk/node-ts/npm/linux-x64-gnu/package.json`
- **Package**（package_manifest）：{ "name": "microsandbox", "version": "0.5.6", "type": "module", "main": "./dist/index.js", "types": "./dist/index.d.ts", "exports": { ".": { "types": "./dist/index.d.ts", "import": "./dist/index.js" }, "./native": { "types": "./native/index.d.ts", "default": "./native/index.cjs" } }, "bin": { "microsandbox": "bin/microsandbox.cjs", "msb": "bin/microsandbox.cjs" }, "napi": { "binaryName": "microsandbox", "packageName": "@superradcompany/microsandbox", "targets": "aarch64-apple-darwin", "x86 64-unknown-linux-gnu", "aarch64-unknown-linux-gnu" }, "license": "Apache-2.0", "engines": { "node": " = 22" }, "scripts": { "build:native": "napi build --release --platform --js index.cjs --dts index.d.ts… 证据：`sdk/node-ts/package.json`
- **AGENTS.md**（documentation）：These instructions are only for agents contributing changes to this repository. Do not apply them to other repositories or to general agent behavior outside this contribution workflow. 证据：`AGENTS.md`
- **Contributing to Microsandbox**（documentation）：Hello there! Whether you're a seasoned developer or just getting started, we're thrilled that you're interested in contributing to Microsandbox. This community thrives because of people like you! 证据：`CONTRIBUTING.md`
- **License**（source_file）：Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ 证据：`LICENSE`
- **Lib**（source_file）：pub mod client; pub mod error; pub mod message; pub mod stream; pub mod transport; pub mod transports { ⋮---- pub mod uds; ⋮---- pub use stream::AgentStream; 证据：`agent-client/rust/lib/lib.rs`
- **Lib**（source_file）：mod config; mod error; mod rlimit; pub mod agent; pub mod clock; pub mod fs; pub mod handoff; pub mod heartbeat; pub mod init; pub mod network; pub mod serial; pub mod session; pub mod tcp; pub mod tls; 证据：`crates/agentd/lib/lib.rs`
- **Mod**（source_file）：use crate::ui; pub mod common; pub mod copy; pub mod create; pub mod exec; pub mod image; pub mod inspect; pub mod install; pub mod list; pub mod logs; pub mod metrics; pub mod ps; pub mod pull; pub mod registry; pub mod remove; pub mod run; pub mod self cmd; pub mod snapshot; ⋮---- pub mod ssh; pub mod start; pub mod stop; pub mod uninstall; pub mod volume; pub async fn maybe stop sandbox: &Sandbox { if sandbox.owns lifecycle && let Err e = sandbox.stop .await ⋮---- ui::warn &format! "failed to stop sandbox: {e}" ; ⋮---- pub async fn resolve and start name: &str, quiet: bool - anyhow::Result { ⋮---- match handle.status { ⋮---- let sandbox = handle.connect .await?; if sandbox.client .is leg… 证据：`crates/cli/lib/commands/mod.rs`
- **Lib**（source_file）：pub mod boot error render; pub mod commands; pub mod exec error render; pub mod log args; ⋮---- pub mod net rule; pub mod sandbox cmd; pub mod styles; pub mod tree; pub mod ui; 证据：`crates/cli/lib/lib.rs`
- **Flat Rootfs**（source_file）：pub struct Model { ⋮---- pub enum Relation { ⋮---- fn to - RelationDef { Relation::Manifest.def ⋮---- Relation::SandboxRootfs.def ⋮---- impl ActiveModelBehavior for ActiveModel {} 证据：`crates/db/lib/entity/flat_rootfs.rs`
- **Mod**（source_file）：pub mod config; pub mod image ref; pub mod layer; pub mod manifest; pub mod manifest layer; pub mod run; pub mod sandbox; pub mod sandbox label; pub mod sandbox rootfs; pub mod snapshot; pub mod volume; 证据：`crates/db/lib/entity/mod.rs`
- **Lib**（source_file）：pub mod connection; ⋮---- pub mod entity; pub mod pool; pub mod retry; 证据：`crates/db/lib/lib.rs`
- **Create Ops**（source_file）：pub crate fn do create ⋮---- let name bytes = name.to bytes ; ⋮---- let parent node = get node &fs.state, parent ?; let node state = parent node.state.read .unwrap .clone ; ⋮---- node state: node state.clone , ⋮---- name: name bytes.to vec , ⋮---- if let std::ops::ControlFlow::Break r = handle hook decision run decision hooks &fs.hooks, &mut hook ctx, h, ctx h.before resolve ctx , ⋮---- return Ok entry, None, OpenOptions::empty ; ⋮---- let plan = fs.policy.plan &hook ctx.req, &view, &hook ctx.hints ?; let target = plan.target backend .unwrap or BackendId::BackendA ; ensure backend presence fs, ctx, parent, target ?; check name available fs, parent, name bytes, target ?; ⋮---- resolve backen… 证据：`crates/filesystem/lib/backends/dualfs/create_ops.rs`
- **Materialize**（source_file）：use crate::backends::shared::platform; ⋮---- pub crate fn do materialize ⋮---- let node = get node &fs.state, guest inode ?; ⋮---- let state = node.state.read .unwrap ; if state.backend inode target .is some && state.current backend == Some target { return Ok ; ⋮---- let lock = node.copy up lock.lock .unwrap ; ⋮---- if state.current backend == Some target { ⋮---- .backend inode source .ok or else io::Error::from raw os error libc::EINVAL ? ⋮---- ensure ancestors fs, ctx, guest inode, target ?; ⋮---- .read .unwrap .get &guest inode .and then s s.iter .next .cloned .ok or else io::Error::from raw os error libc::ENOENT ? ⋮---- let parent target inode = resolve backend inode &fs.state, parent i… 证据：`crates/filesystem/lib/backends/dualfs/materialize.rs`
- **Mod**（source_file）：pub crate mod builder; mod create ops; mod dir ops; mod file ops; pub mod hooks; mod lookup; mod materialize; mod metadata; pub mod policies; pub mod policy; mod remove ops; mod special; pub mod types; mod xattr ops; ⋮---- use hooks::DualDispatchHook; use policy::DualDispatchPolicy; ⋮---- pub struct DualFs { ⋮---- impl DualFs { pub fn builder - builder::DualFsBuilder { ⋮---- impl DynFileSystem for DualFs { fn init &self, capable: FsOptions - io::Result { let ba supported = self.backend a.init capable ?; let bb supported = self.backend b.init capable ?; ⋮---- if capable.contains FsOptions::DO READDIRPLUS && child support.contains FsOptions::DO READDIRPLUS ⋮---- && capable.contains FsOptions:… 证据：`crates/filesystem/lib/backends/dualfs/mod.rs`
- **Mod**（source_file）：mod backend a fallback to backend b; mod backend a only; mod merge reads; mod read backend b write backend a; pub use backend a fallback to backend b::BackendAFallbackToBackendBRead; pub use backend a only::BackendAOnly; pub use merge reads::MergeReadsBackendAPrecedence; pub use read backend b write backend a::ReadBackendBWriteBackendA; 证据：`crates/filesystem/lib/backends/dualfs/policies/mod.rs`
- **derive Debug, Clone, Copy, PartialEq, Eq**（source_file）：use std::io; ⋮---- pub trait DualDispatchPolicy: Send + Sync { ⋮---- /// Describes the incoming FUSE operation for the policy to inspect. pub struct RequestCtx { ⋮---- pub struct RequestCtx { /// The FUSE operation kind. pub op: OpKind, /// Guest inode the operation targets. pub guest inode: u64, /// Current backing state of the target node. pub node state: NodeState, /// File kind. pub file kind: super::types::FileKind, /// Operation-specific flags. pub flags: u32, /// Name argument for name-based ops . pub name: Vec , /// Parent guest inode for name-based ops . 0 for inode-only ops. pub parent inode: u64, ⋮---- /// FUSE operation kind. derive Debug, Clone, Copy, PartialEq, Eq ⋮---- pub en… 证据：`crates/filesystem/lib/backends/dualfs/policy.rs`
- **Create Ops**（source_file）：pub crate fn do create ⋮---- if parent == ROOT INODE && init binary::is init name name.to bytes { return Err platform::eexist ; ⋮---- let name bytes = name.to bytes .to vec ; ⋮---- let mut ch = children.write .unwrap ; if ch.contains key &name bytes { fs.inode count.fetch sub 1, Ordering::Relaxed ; ⋮---- ch.insert name bytes, ino ; ⋮---- return Err platform::enotdir ; ⋮---- let mut meta = parent node.meta.write .unwrap ; ⋮---- fs.nodes.write .unwrap .insert ino, node.clone ; let handle = fs.next handle.fetch add 1, Ordering::Relaxed ; let handle flags = super::normalize handle flags fs.writeback.load Ordering::Relaxed , flags ; ⋮---- fs.file handles.write .unwrap .insert handle, fh ; ⋮----… 证据：`crates/filesystem/lib/backends/memfs/create_ops.rs`
- **Mod**（source_file）：pub crate mod builder; mod create ops; mod dir ops; mod file ops; mod inode; mod metadata; mod remove ops; mod special; pub mod types; mod xattr ops; ⋮---- pub struct MemFs { ⋮---- impl MemFs { pub fn builder - builder::MemFsBuilder { ⋮---- pub crate fn cache open options &self - OpenOptions { ⋮---- pub crate fn cache dir options &self - OpenOptions { ⋮---- pub crate fn normalize handle flags writeback: bool, flags: u32 - u32 { ⋮---- impl DynFileSystem for MemFs { fn init &self, capable: FsOptions - io::Result { ⋮---- if capable.contains FsOptions::DO READDIRPLUS { ⋮---- if self.cfg.writeback && capable.contains FsOptions::WRITEBACK CACHE { ⋮---- self.writeback.store true, Ordering::Relaxed… 证据：`crates/filesystem/lib/backends/memfs/mod.rs`
- **Mod**（source_file）：pub mod dualfs; pub mod memfs; pub mod passthroughfs; pub crate mod shared; 证据：`crates/filesystem/lib/backends/mod.rs`
- **Create Ops**（source_file）：pub crate fn do create ⋮---- if fs.cfg.readonly { return Err platform::erofs ; ⋮---- if fs.is reserved init name parent, name.to bytes { return Err platform::eacces ; ⋮---- let host initial mode = if fs.cfg.xattr enabled { ⋮---- parent fd.raw , name.as ptr , ⋮---- return Err platform::linux error io::Error::last os error ; ⋮---- if fs.cfg.xattr enabled { if fs.cfg.mirror host permissions && let Err e = fchmod mirror fd, file mode, platform::MODE REG ⋮---- unsafe { libc::unlinkat parent fd.raw , name.as ptr , 0 }; return Err e ; ⋮---- if let Some ovr = stat override::get override open fd, true, fs.cfg.strict enabled ? ⋮---- let handle = fs.next handle.fetch add 1, Ordering::Relaxed ; ⋮---- f… 证据：`crates/filesystem/lib/backends/passthroughfs/create_ops.rs`
- **Mod**（source_file）：pub crate mod builder; mod create ops; mod dir ops; mod file ops; mod host mode; pub crate mod inode; mod metadata; mod remove ops; mod special; mod xattr ops; ⋮---- pub enum CachePolicy { ⋮---- pub enum StatVirtualization { ⋮---- pub enum HostPermissions { ⋮---- pub struct PassthroughConfig { ⋮---- pub struct PassthroughFs { ⋮---- pub crate struct PassthroughDirHandle { ⋮---- pub crate struct DirSnapshot { ⋮---- pub crate struct PassthroughDirEntry { ⋮---- impl PassthroughFs { pub fn builder - builder::PassthroughFsBuilder { ⋮---- pub fn new cfg: PassthroughConfig - io::Result { ⋮---- .to str .ok or else platform::einval ? .as bytes , ⋮---- .map err platform::einval ?; ⋮---- root path.as p… 证据：`crates/filesystem/lib/backends/passthroughfs/mod.rs`
- **Dir Snapshot**（source_file）：use crate::DirEntry; pub crate trait SnapshotEntry { ⋮---- pub crate fn serve snapshot entries ⋮---- .iter .position entry entry.offset offset .unwrap or entries.len ; ⋮---- if slice.is empty { ⋮---- let mut raw entries = Vec::with capacity slice.len ; ⋮---- let name offset = names buf.len ; names buf.extend from slice entry.name ; raw entries.push entry.inode , entry.offset , entry.file type , ⋮---- entry.name .len , ⋮---- let leaked: &'static u8 = Box::leak names buf.into boxed slice ; ⋮---- .into iter .map ino, off, typ, start, len DirEntry { ⋮---- .collect 证据：`crates/filesystem/lib/backends/shared/dir_snapshot.rs`
- **Mod**（source_file）：pub crate mod dir snapshot; pub crate mod handle table; pub crate mod init binary; pub crate mod inode table; pub crate mod name validation; pub crate mod platform; pub crate mod stat override; 证据：`crates/filesystem/lib/backends/shared/mod.rs`
- **Lib**（source_file）：pub mod agentd; pub mod backends; 证据：`crates/filesystem/lib/lib.rs`
- **Mod**（source_file）：mod docker; 证据：`crates/image/lib/archive/mod.rs`
- **Mod**（source_file）：pub crate mod lock; mod store; pub crate use store::is valid erofs artifact async; 证据：`crates/image/lib/cache/mod.rs`
- **Mod**（source_file）：pub crate mod format; pub mod fsmeta; pub mod reader; pub crate mod writer; pub use fsmeta::write fsmeta; 证据：`crates/image/lib/erofs/mod.rs`
- **Mod**（source_file）：mod format; mod formatter; 证据：`crates/image/lib/ext4/mod.rs`
- **Mod**（source_file）：mod download; pub crate use download::Layer; 证据：`crates/image/lib/layer/mod.rs`
- **Lib**（source_file）：mod archive; mod auth; mod cache; mod config; pub crate mod crc32c; mod digest; pub mod erofs; mod error; pub mod ext4; pub crate mod layer; mod platform; mod progress; mod pull; mod registry; pub mod snapshot; pub crate mod stitch; pub mod tar; pub mod tree; ⋮---- pub use auth::RegistryAuth; ⋮---- pub use config::ImageConfig; pub use digest::Digest; ⋮---- pub use oci client::Reference; 证据：`crates/image/lib/lib.rs`
- **Mod**（source_file）：mod builder; mod client; mod manifest; pub use builder::RegistryBuilder; pub use client::Registry; 证据：`crates/image/lib/registry/mod.rs`
- **Mod**（source_file）：pub mod manifest; 证据：`crates/image/lib/snapshot/mod.rs`
- **Mod**（source_file）：pub crate mod vmdk; pub crate use vmdk::write vmdk descriptor; 证据：`crates/image/lib/stitch/mod.rs`
- **Mod**（source_file）：mod ingest; 证据：`crates/image/lib/tar/mod.rs`
- **Mod**（source_file）：mod model; 证据：`crates/image/lib/tree/mod.rs`
- **Mod**（source_file）：mod builder; mod driver; mod label cache; mod label source; mod reader; mod types; mod worker; ⋮---- pub crate mod mocks; 证据：`crates/metrics-collector/lib/core/mod.rs`
- **Mod**（source_file）：pub mod otel; pub mod stdout; ⋮---- pub use stdout::StdoutExporter; 证据：`crates/metrics-collector/lib/exporters/mod.rs`
- **Otel**（source_file）：use async trait::async trait; ⋮---- use opentelemetry sdk::Resource; use opentelemetry sdk::error::OTelSdkResult; use opentelemetry sdk::metrics::data::ResourceMetrics; use opentelemetry sdk::metrics::exporter::PushMetricExporter; use opentelemetry sdk::metrics::reader::MetricReader; ⋮---- const SCOPE VERSION: &str = env! "CARGO PKG VERSION" ; ⋮---- pub enum OtlpProtocol { ⋮---- pub enum OtlpCompression { ⋮---- struct IdentityAttributes { ⋮---- impl Default for IdentityAttributes { fn default - Self { ⋮---- struct Instruments { ⋮---- struct SelfInstruments { ⋮---- pub struct OtelExporter { ⋮---- struct SharedManualReader Arc ; impl MetricReader for SharedManualReader { fn register pipeline… 证据：`crates/metrics-collector/lib/exporters/otel.rs`
- **Lib**（source_file）：pub mod core; mod error; pub mod exporters; ⋮---- pub use microsandbox metrics::SandboxMetrics; 证据：`crates/metrics-collector/lib/lib.rs`
- **Lib**（source_file）：mod error; mod layout; mod registry; mod snapshot; 证据：`crates/metrics/lib/lib.rs`
- **Mod**（source_file）：mod bridge; use std::ops::Deref; use std::path::Path; use std::time::Duration; use tokio::time::Instant; pub struct AgentClient microsandbox agent client::AgentClient ; pub async fn connect sandbox name: &str - AgentClientResult { connect sandbox with timeout name, Duration::from secs 10 .await ⋮---- pub async fn connect sandbox with timeout ⋮---- return Err AgentClientError::InvalidSandboxName message ; ⋮---- if !sock path.exists { ⋮---- Ok client = return Ok client , Err error = last error = Some error , ⋮---- Some error = Err error , None = Err AgentClientError::SandboxNotFound name.to string , ⋮---- impl AgentClient { pub async fn connect sock path: impl AsRef - AgentClientResult { ⋮---… 证据：`crates/microsandbox/lib/agent/mod.rs`
- **Mod**（source_file）：use microsandbox image::RegistryAuth; use microsandbox runtime::logging::LogLevel; ⋮---- pub fn default metrics sample interval - Option { ⋮---- pub crate mod metrics interval serde { ⋮---- use std::num::NonZero; pub fn serialize v: &Option , s: S - Result { v.map n n.get .unwrap or 0 .serialize s ⋮---- pub fn deserialize d: D - Result , D::Error { Ok NonZero::new u64::deserialize d ? ⋮---- pub struct GlobalConfig { ⋮---- pub struct MetricsConfig { ⋮---- pub struct DatabaseConfig { ⋮---- pub struct PathsConfig { ⋮---- pub struct SandboxDefaults { ⋮---- pub struct OciSandboxDefaults { ⋮---- pub struct RegistriesConfig { ⋮---- pub struct RegistryEntry { ⋮---- pub struct RegistryAuthEntry { ⋮-… 证据：`crates/microsandbox/lib/config/mod.rs`
- **Mod**（source_file）：pub use microsandbox db::entity; ⋮---- use microsandbox db::pool::DbPools; ⋮---- use tokio::sync::OnceCell; ⋮---- struct MigrationLock { ⋮---- pub async fn init global - MicrosandboxResult { ⋮---- .get or try init async { let db dir = microsandbox utils::resolve home .join microsandbox utils::DB SUBDIR ; connect and migrate &db dir .await ⋮---- /// Get the global pools, or None if init global has not run. pub fn global - Option { ⋮---- pub fn global - Option { GLOBAL POOL.get ⋮---- async fn connect and migrate db dir: &Path - MicrosandboxResult { ⋮---- let migration lock = acquire migration lock db dir .await?; ⋮---- let db path = db dir.join microsandbox utils::DB FILENAME ; ⋮---- .map err… 证据：`crates/microsandbox/lib/db/mod.rs`
- **Mod**（source_file）：pub struct Image; ⋮---- pub struct ImageHandle { ⋮---- pub struct ImageDetail { ⋮---- pub struct ImageConfigDetail { ⋮---- pub struct ImageLayerDetail { ⋮---- pub struct ImagePruneReport { ⋮---- struct ImagePruneCleanup { ⋮---- impl ImageHandle { pub fn reference &self - &str { ⋮---- pub fn size bytes &self - Option { ⋮---- pub fn manifest digest &self - Option { self.manifest digest.as deref ⋮---- pub fn architecture &self - Option { self.architecture.as deref ⋮---- pub fn os &self - Option { self.os.as deref ⋮---- pub fn layer count &self - usize { ⋮---- pub fn last used at &self - Option { ⋮---- pub fn created at &self - Option { ⋮---- impl Image { pub async fn persist ⋮---- let db = poo… 证据：`crates/microsandbox/lib/image/mod.rs`
- **Lib**（source_file）：mod error; pub mod agent; pub mod config; ⋮---- pub crate mod db; pub mod image; pub mod logs; pub mod runtime; pub mod sandbox; pub mod setup; pub mod snapshot; pub mod volume; ⋮---- pub use microsandbox image::RegistryAuth; ⋮---- pub use microsandbox runtime::logging::LogLevel; pub use microsandbox utils::size; ⋮---- pub use sandbox::NetworkPolicy; 证据：`crates/microsandbox/lib/lib.rs`
- 其余 20 条证据见 `AI_CONTEXT_PACK.json` 或 `EVIDENCE_INDEX.json`。

## 宿主 AI 必须遵守的规则

- **把本资产当作开工前上下文，而不是运行环境。**：AI Context Pack 只包含证据化项目理解，不包含目标项目的可执行状态。 证据：`README.md`, `agent-client/README.md`, `agent-client/rust/README.md`
- **回答用户时区分可预览内容与必须安装后才能验证的内容。**：安装前体验的消费者价值来自降低误装和误判，而不是伪装成真实运行。 证据：`README.md`, `agent-client/README.md`, `agent-client/rust/README.md`

## 用户开工前应该回答的问题

- 你准备在哪个宿主 AI 或本地环境中使用它？
- 你只是想先体验工作流，还是准备真实安装？
- 你最在意的是安装成本、输出质量、还是和现有规则的冲突？

## 验收标准

- 所有能力声明都能回指到 evidence_refs 中的文件路径。
- AI_CONTEXT_PACK.md 没有把预览包装成真实运行。
- 用户能在 3 分钟内看懂适合谁、能做什么、如何开始和风险边界。

---

## Doramagic Context Augmentation

下面内容用于强化 Repomix/AI Context Pack 主体。Human Manual 只提供阅读骨架；踩坑日志会被转成宿主 AI 必须遵守的工作约束。

## Human Manual 骨架

使用规则：这里只是项目阅读路线和显著性信号，不是事实权威。具体事实仍必须回到 repo evidence / Claim Graph。

宿主 AI 硬性规则：
- 不得把页标题、章节顺序、摘要或 importance 当作项目事实证据。
- 解释 Human Manual 骨架时，必须明确说它只是阅读路线/显著性信号。
- 能力、安装、兼容性、运行状态和风险判断必须引用 repo evidence、source path 或 Claim Graph。

- **System Architecture and MicroVM Runtime**：importance `high`
  - source_paths: crates/runtime/lib/lib.rs, crates/runtime/lib/vm.rs, crates/runtime/lib/heartbeat.rs, crates/agentd/lib/lib.rs, crates/agentd/bin/main.rs
- **Networking, TLS, DNS, Secrets, and Egress Policy**：importance `high`
  - source_paths: crates/network/lib/lib.rs, crates/network/lib/network.rs, crates/network/lib/stack.rs, crates/network/lib/backend.rs, crates/network/lib/builder.rs
- **SDKs (Rust, Python, TypeScript, Go) and the msb CLI**：importance `high`
  - source_paths: sdk/python/microsandbox/__init__.py, sdk/python/src/lib.rs, sdk/python/src/sandbox.rs, sdk/python/src/exec.rs, sdk/python/src/image.rs
- **Images, Root Filesystems, Snapshots, Volumes, and Storage Limits**：importance `high`
  - source_paths: crates/image/lib/lib.rs, crates/image/lib/pull.rs, crates/image/lib/registry/mod.rs, crates/image/lib/registry/client.rs, crates/image/lib/registry/manifest.rs

## Repo Inspection Evidence / 源码检查证据

- repo_clone_verified: true
- repo_inspection_verified: true
- repo_commit: `b69257c55aa3b62b3dfbed1d9b8a2b219fd09a97`
- inspected_files: `README.md`, `docs/configuration.mdx`, `docs/docs.json`, `docs/sandboxes/snapshots.mdx`, `docs/sandboxes/overview.mdx`, `docs/sandboxes/filesystem.mdx`, `docs/sandboxes/logs.mdx`, `docs/sandboxes/volumes.mdx`, `docs/sandboxes/secrets.mdx`, `docs/sandboxes/metrics.mdx`, `docs/sandboxes/customize.mdx`, `docs/sandboxes/ssh.mdx`, `docs/sandboxes/commands.mdx`, `docs/sandboxes/lifecycle.mdx`, `docs/changelog/2026-04-24.mdx`, `docs/changelog/2026-05-15.mdx`, `docs/changelog/2026-05-01.mdx`, `docs/changelog/2026-05-22.mdx`, `docs/changelog/2026-04-10.mdx`, `docs/changelog/2026-04-03.mdx`

宿主 AI 硬性规则：
- 没有 repo_clone_verified=true 时，不得声称已经读过源码。
- 没有 repo_inspection_verified=true 时，不得把 README/docs/package 文件判断写成事实。
- 没有 quick_start_verified=true 时，不得声称 Quick Start 已跑通。

## Doramagic Pitfall Constraints / 踩坑约束

这些规则来自 Doramagic 发现、验证或编译过程中的项目专属坑点。宿主 AI 必须把它们当作工作约束，而不是普通说明文字。

### Constraint 1: 来源证据：Python SDK: expose Image.load() and Image.save() for local image archives

- Trigger: GitHub 社区证据显示该项目存在一个安装相关的待验证问题：Python SDK: expose Image.load() and Image.save() for local image archives
- Why it matters: 可能增加新用户试用和生产接入成本。
- Evidence: community_evidence:github | https://github.com/superradcompany/microsandbox/issues/973 | 来源讨论提到 python 相关条件，需在安装/试用前复核。
- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略，除非后续验证证据明确证明它已经关闭。

### Constraint 2: 来源证据：Support a much low glibc version in Linux

- Trigger: GitHub 社区证据显示该项目存在一个安装相关的待验证问题：Support a much low glibc version in Linux
- Why it matters: 可能增加新用户试用和生产接入成本。
- Evidence: community_evidence:github | https://github.com/superradcompany/microsandbox/issues/931 | 来源讨论提到 linux 相关条件，需在安装/试用前复核。
- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略，除非后续验证证据明确证明它已经关闭。

### Constraint 3: 来源证据：Intermittent (~1/3) indefinite guest hang on first outbound TLS under a `Destination::Domain` egress rule (0.5.x; not 0…

- Trigger: GitHub 社区证据显示该项目存在一个配置相关的待验证问题：Intermittent (~1/3) indefinite guest hang on first outbound TLS under a `Destination::Domain` egress rule (0.5.x; not 0.4.6)
- Why it matters: 可能阻塞安装或首次运行。
- Evidence: community_evidence:github | https://github.com/superradcompany/microsandbox/issues/894 | 来源讨论提到 linux 相关条件，需在安装/试用前复核。
- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略，除非后续验证证据明确证明它已经关闭。

### Constraint 4: 失败模式：security_permissions: Secret substitution fails with HTTPS_PROXY that uses http:// and port 80

- Trigger: Developers should check this security_permissions risk before relying on the project: Secret substitution fails with HTTPS_PROXY that uses http:// and port 80
- Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: Secret substitution fails with HTTPS_PROXY that uses http:// and port 80. Context: Source discussion did not expose a precise runtime context.
- Why it matters: Developers may expose sensitive permissions or credentials: Secret substitution fails with HTTPS_PROXY that uses http:// and port 80
- Evidence: failure_mode_cluster:github_issue | https://github.com/superradcompany/microsandbox/issues/752 | Secret substitution fails with HTTPS_PROXY that uses http:// and port 80
- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略，除非后续验证证据明确证明它已经关闭。

### Constraint 5: 失败模式：security_permissions: Windows Support (without WSL)

- Trigger: Developers should check this security_permissions risk before relying on the project: Windows Support (without WSL)
- Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: Windows Support (without WSL). Context: Observed when using docker, windows, macos, linux
- Why it matters: Developers may expose sensitive permissions or credentials: Windows Support (without WSL)
- Evidence: failure_mode_cluster:github_issue | https://github.com/superradcompany/microsandbox/issues/47 | Windows Support (without WSL)
- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略，除非后续验证证据明确证明它已经关闭。

### Constraint 6: 失败模式：security_permissions: support secret substitution for plain http

- Trigger: Developers should check this security_permissions risk before relying on the project: support secret substitution for plain http
- Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: support secret substitution for plain http. Context: Source discussion did not expose a precise runtime context.
- Why it matters: Developers may expose sensitive permissions or credentials: support secret substitution for plain http
- Evidence: failure_mode_cluster:github_issue | https://github.com/superradcompany/microsandbox/issues/646 | support secret substitution for plain http
- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略，除非后续验证证据明确证明它已经关闭。

### Constraint 7: 来源证据：Secret substitution fails with HTTPS_PROXY that uses http:// and port 80

- Trigger: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题：Secret substitution fails with HTTPS_PROXY that uses http:// and port 80
- Why it matters: 可能影响授权、密钥配置或安全边界。
- Evidence: community_evidence:github | https://github.com/superradcompany/microsandbox/issues/752 | 来源类型 github_issue 暴露的待验证使用条件。
- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略，除非后续验证证据明确证明它已经关闭。

### Constraint 8: 来源证据：Windows Support (without WSL)

- Trigger: GitHub 社区证据显示该项目存在一个安全/权限相关的待验证问题：Windows Support (without WSL)
- Why it matters: 可能影响授权、密钥配置或安全边界。
- Evidence: community_evidence:github | https://github.com/superradcompany/microsandbox/issues/47 | 来源讨论提到 windows 相关条件，需在安装/试用前复核。
- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略，除非后续验证证据明确证明它已经关闭。

### Constraint 9: 失败模式：installation: v0.4.4

- Trigger: Developers should check this installation risk before relying on the project: v0.4.4
- Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: v0.4.4. Context: Observed when using node, python
- Why it matters: Upgrade or migration may change expected behavior: v0.4.4
- Evidence: failure_mode_cluster:github_release | https://github.com/superradcompany/microsandbox/releases/tag/v0.4.4 | v0.4.4
- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略，除非后续验证证据明确证明它已经关闭。

### Constraint 10: 失败模式：installation: v0.5.0

- Trigger: Developers should check this installation risk before relying on the project: v0.5.0
- Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: v0.5.0. Context: Observed when using node, python
- Why it matters: Upgrade or migration may change expected behavior: v0.5.0
- Evidence: failure_mode_cluster:github_release | https://github.com/superradcompany/microsandbox/releases/tag/v0.5.0 | v0.5.0
- Hard boundary: 不要把这个坑点包装成已解决、已验证或可忽略，除非后续验证证据明确证明它已经关闭。