2nd/10_Wiki/Topics/AI_and_ML/Artifacts & Infrastructure.md

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack

id	title	category	status	canonical_id	aliases	duplicate_of	source_trust_level	confidence_score	verification_status	tags	raw_sources	last_reinforced	github_commit	tech_stack
wiki-2026-0508-artifacts-and-infrastructure	Artifacts & Infrastructure (Agentic Systems)	10_Wiki/Topics	verified	self	agent artifacts sandbox microVM container isolation agent infrastructure artifact store	none	B	0.88	applied	agent infrastructure sandbox docker microvm artifacts e2b modal fly-machines agent-harness		2026-05-10	pending	language framework TypeScript / Python Docker / Firecracker / E2B / Modal / Fly Machines

Artifacts & Infrastructure

📌 한 줄 통찰

"매 agent 의 physical body". 매 produced output (code, doc, image) 의 store + index + version. 매 execution 의 sandbox (container / microVM). 매 modern agent system 의 backbone — 매 E2B / Modal / Fly Machines.

📖 핵심

매 artifact 의 종류

1. Code: file, snippet, PR.
2. Document: markdown, JSON, structured.
3. Media: image, video, audio.
4. Data: dataset, embedding.
5. Trace: thought process log.

매 artifact store 의 component

• Storage: S3 / Minio / FS.
• Metadata: id, type, parent, hash, timestamp.
• Index: search (Elasticsearch / SQLite FTS).
• Versioning: content-addressed (Git-like) or sequential.
• Access control: per-user / per-agent.

매 reference vs full

• 매 model context 의 limit → 매 reference id + summary 만 의 inject.
• 매 full content 의 explicit fetch.
• 매 attention budget 의 conserve.

매 execution infrastructure

Container (Docker)

• 매 standardized environment.
• 매 image immutable.
• 매 namespace isolation (PID, network, mount).
• 매 cgroups resource limit.
• ✅ 매 fast.
• ❌ 매 kernel share (security weak).

MicroVM (Firecracker)

• 매 lightweight VM.
• 매 hardware-virtualized.
• 매 boot < 125 ms.
• ✅ 매 strong isolation.
• ❌ 매 slightly slower.
• 매 AWS Lambda / Fly Machines 사용.

gVisor (Google)

• 매 user-space kernel.
• 매 syscall intercept.
• 매 between container + VM.

WebAssembly (Wasm)

• 매 sandbox by design.
• 매 fast startup.
• 매 language-agnostic.
• 매 limited syscall.

매 modern agent infra

• E2B: 매 Firecracker-based, 매 agent-focused.
• Modal: 매 Python serverless + GPU.
• Fly Machines: 매 microVM, 매 global.
• CodeSandbox: 매 sandbox dev env.
• Replit Agent: 매 in-IDE.
• Daytona: 매 dev environment.

매 artifact lifecycle

1. Create: 매 agent 가 produce.
2. Store: 매 artifact store.
3. Index: 매 metadata + content search.
4. Reference: 매 future agent 의 cite.
5. Version: 매 update / rollback.
6. Garbage collect: 매 unused / TTL.

매 visualization

• HTML preview: React, plain.
• Mermaid: diagram.
• Markdown: doc.
• CSV / Table: data.
• Image / Video: media.
• 3D: glb / gltf.

→ 매 user 의 immediate verification.

매 trade-off

• Storage cost: 매 retention policy.
• Indexing latency: 매 fast write 의 lazy index.
• Isolation strength: 매 security ↑ → 매 perf ↓.
• Cold start: 매 sandbox 의 fast boot.
• Secret management: 매 leak 방지.

매 security

• Network egress: 매 whitelist.
• Filesystem: 매 read-only base + writable scratch.
• Resource limit (CPU, memory, disk, time).
• Syscall filter (seccomp).
• Secret injection: 매 env var, 매 vault.
• Output scanning: 매 secret leak detect.

💻 패턴

Artifact store (FS-based)

import { createHash } from 'crypto';
import * as fs from 'fs/promises';

class ArtifactStore {
  async write(content: string | Buffer, metadata: Record<string, any>) {
    const hash = createHash('sha256').update(content).digest('hex');
    const path = `./artifacts/${hash.slice(0, 2)}/${hash}`;
    await fs.mkdir(path.split('/').slice(0, -1).join('/'), { recursive: true });
    await fs.writeFile(path, content);
    
    await this.indexMetadata(hash, metadata);
    return { id: hash, path };
  }
  
  async read(id: string): Promise<{ content: Buffer; metadata: any }> {
    const path = `./artifacts/${id.slice(0, 2)}/${id}`;
    const [content, metadata] = await Promise.all([
      fs.readFile(path),
      this.fetchMetadata(id),
    ]);
    return { content, metadata };
  }
  
  async indexMetadata(id: string, metadata: any) {
    // 매 SQLite / Elasticsearch
    await db.insert('artifacts', { id, ...metadata, ts: Date.now() });
  }
}

E2B sandbox (Python)

from e2b import Sandbox

sandbox = Sandbox.create('python3')
result = sandbox.run_code("""
import pandas as pd
df = pd.DataFrame({'a': [1, 2, 3]})
print(df.sum())
""")
print(result.text)  # 매 stdout
print(result.results)  # 매 plotted image, table

sandbox.close()

Modal (serverless GPU)

import modal

app = modal.App('my-agent')
image = modal.Image.debian_slim().pip_install('transformers', 'torch')

@app.function(image=image, gpu='A10G', timeout=600)
def run_inference(prompt: str) -> str:
    from transformers import pipeline
    pipe = pipeline('text-generation', model='meta-llama/Llama-3-8B')
    return pipe(prompt)[0]['generated_text']

@app.local_entrypoint()
def main():
    result = run_inference.remote('Hello')
    print(result)

Docker sandbox (limited)

import docker

client = docker.from_env()

def run_in_sandbox(code: str, language: str = 'python', timeout: int = 30):
    container = client.containers.run(
        f'sandbox-{language}',
        f'python -c "{code}"',
        mem_limit='512m',
        cpu_quota=50000,  # 매 0.5 CPU
        network_disabled=True,
        read_only=True,
        tmpfs={'/tmp': 'size=64m'},
        security_opt=['no-new-privileges'],
        cap_drop=['ALL'],
        detach=True,
    )
    try:
        container.wait(timeout=timeout)
        return container.logs().decode()
    finally:
        container.remove(force=True)

Fly Machines (microVM)

fly machine run python:3.11 \
  --region sfo \
  --vm-cpus 2 \
  --vm-memory 1024 \
  --env API_KEY=$API_KEY \
  -- python /app/agent.py

Mermaid artifact preview

function renderMermaidArtifact(diagram: string): string {
  return `
    <html><body>
      <pre class="mermaid">${escapeHtml(diagram)}</pre>
      <script src="https://cdn.jsdelivr.net/npm/mermaid/dist/mermaid.min.js"></script>
      <script>mermaid.initialize({ startOnLoad: true });</script>
    </body></html>
  `;
}

Secret leak detector

import re

SECRET_PATTERNS = [
    re.compile(r'AKIA[0-9A-Z]{16}'),  # AWS
    re.compile(r'sk-[a-zA-Z0-9]{32,}'),  # OpenAI
    re.compile(r'github_pat_[a-zA-Z0-9_]{82}'),
    re.compile(r'-----BEGIN (RSA |EC )?PRIVATE KEY-----'),
]

def scan_for_secrets(artifact_content: str) -> list[str]:
    findings = []
    for pattern in SECRET_PATTERNS:
        for match in pattern.findall(artifact_content):
            findings.append(redact(match))
    return findings

🤔 결정 기준

요구	Infra
Untrusted code	E2B / Firecracker
Trusted Python	Modal
Long-running	Fly Machines
Light isolation	Docker + seccomp
Browser-side	Wasm
Code preview	HTML iframe sandbox
Permanent artifact	S3 + content-addressed
Ephemeral	tmpfs + TTL

기본값: E2B (untrusted) + Modal (trusted) + S3 artifact store + content-hash dedup.

🔗 Graph

• 부모: Agent-Architecture · Cloud-Infrastructure
• 변형: Sandbox · Container · MicroVM · Wasm
• 응용: E2B · Modal · Fly-Machines · Firecracker · gVisor
• Adjacent: Agent-Harness · Context-Manager · Tool-Use · Code-Execution

🤖 LLM 활용

언제: 매 agent system design. 매 sandbox selection. 매 artifact store schema. 매 security review. 언제 X: 매 single trusted user (over-engineering).

❌ 안티패턴

• Run untrusted in host: 매 RCE.
• No resource limit: 매 fork bomb.
• Network unrestricted: 매 data exfil.
• Secret in env (logged): 매 leak.
• No TTL: 매 storage bloat.
• Full content in context: 매 attention waste.
• Container 의 security 의 over-trust: 매 kernel CVE.

🧪 검증 / 중복

• Verified (E2B, Modal, Firecracker, AWS Lambda papers).
• 신뢰도 B.
• Related: Agent-Harness · Sandbox · E2B · Modal · Code-Execution.

🕓 Changelog

날짜	변경
2026-05-08	Phase 1
2026-05-10	Manual cleanup — sandbox spectrum + lifecycle + 매 E2B / Modal / Docker / Fly code