Operator Matrix
Use this page before you buy a VPS, expose an operator endpoint, or set model provider keys.
The three first-party blueprints do not fail the same way. A sandbox operator runs isolated compute. A trading operator runs bots and protects capital. A Surplus operator runs a market venue and backs inference credits. Treat those as different businesses.
What each operator is responsible for
| Blueprint | Operator responsibility | Main failure to avoid |
|---|---|---|
| AI Agent Sandbox | Start sandboxes, keep sidecars reachable, protect session tokens and secrets, and report lifecycle state. | Exposing a sandbox or secret outside the service instance that owns it. |
| AI Trading | Run bot sandboxes, preserve bot state, enforce paper/live policy, expose the operator API, and keep risk checks online. | Letting a bot spend capital outside its envelope or provider budget. |
| Surplus Market | Operate a venue, quote or match inference credits, settle fills, and redeem credits against real capacity when bonded. | Selling a credit lot that cannot be served, redeemed, or settled. |
Host shape
| Blueprint | Minimum host | Recommended host | Notes |
|---|---|---|---|
| AI Agent Sandbox | Docker host, Rust 1.88+, Foundry, Node 22+/pnpm for UI work. | Dedicated state volume, TLS ingress, public host, pre-pulled sidecar image. | Firecracker needs kernel, rootfs, TAP/vsock support, and the guest metadata daemon. |
| AI Trading | Ubuntu 22.04/24.04, x86_64, Docker 24+, 2 vCPU, 4 GB RAM, 40 GB SSD. | 4 vCPU, 8 GB RAM, 80 GB SSD, public IPv4, ports 22 and 443 open. | Releases currently target x86_64. Build from source on other arches. |
| Surplus Market | Rust operator, chain RPC, persistent venue state, settlement submitter key. | Dedicated venue host, supervised process, private key separation, real inference backend. | Bonded issuers must back lots with inference they run or control. |
Public ports
| Blueprint | Public surface | Keep private |
|---|---|---|
| AI Agent Sandbox | TLS ingress to the operator API when intentionally exposed. Default operator API is around 9100. | Sidecar HTTP and SSH ports should stay internal unless explicitly proxied. |
| AI Trading | Caddy or equivalent TLS on 443 to the operator API. | Raw trading API ports such as 9100 and 9200 should not be exposed directly. |
| Surplus Market | Venue HTTP endpoint, optionally an onion endpoint for privacy mode. | Settlement keys, submitter keys, mm-sidecar, and inference provider credentials. |
AI and inference credentials
| Blueprint | Can boot without model keys? | Keys needed for | Budget risk |
|---|---|---|---|
| AI Agent Sandbox | Yes. Lifecycle, terminals, files, ports, snapshots, and non-model commands can work without provider keys. | Prompt, task, and workflow execution through a selected harness or model provider. | Provider spend belongs to whoever injects the key into the service instance. |
| AI Trading | Yes. Deterministic strategy ticks and paper bots can run without model keys. | Agentic activation, chat, and model-driven strategy work. OpenCode model env vars apply only when the sidecar advertises that path. | The operator pays unless the product adds a separate customer billing rail. Default operator docs warn there is no built-in per-bot spend cap. |
| Surplus Market | The order book and dry-run venue can run without inference. | Bonded credit redemption needs a real backend such as managed vLLM or an OpenAI-compatible API the operator controls. | A bonded issuer is financially exposed if it sells credits it cannot redeem. Router fallback is not acceptable for bonded issuance. |
Harnesses are not the product boundary
The sandbox product is the sandbox service instance plus its operator API. The Sandbox SDK supports OpenCode, Claude Code, Kimi Code, Codex, AMP, Factory Droids, Pi, Hermes, Forge, OpenClaw, ACP, Cursor, and CLI base. The current all-harness sidecar in the sandbox blueprint advertises Claude Code, Codex, OpenCode, Kimi Code, and Gemini CLI through GET /api/capabilities.
That endpoint is the contract the app should read. Do not make docs or UI copy pretend OpenCode, Codex, or any one harness is the integration. Harness support can change by publishing a new sidecar image without changing the blueprint ABI.
AI Trading uses the same sidecar direction for agentic work, but the trading product is the bot, vault policy, risk gate, paper/live state, and execution history. The agent harness is one backend for a bot.
Runtime isolation
| Blueprint | Runtime modes | Operator decision |
|---|---|---|
| AI Agent Sandbox | Docker, Firecracker, TEE instance. | Docker is the simple path. Firecracker adds VM isolation and host setup. TEE mode adds provider credentials and attestation handling. |
| AI Trading | Docker sidecar by default, dedicated instance mode, TEE instance mode. | Start with paper mode and allowlist admission. Use TEE only when strategy confidentiality is worth the hardware or provider complexity. |
| Surplus Market | Operator HTTP venue plus optional mm-sidecar, shared CLOB, Tor onion, settlement submitter. | Decide whether you are a dry-run venue, an attester, or a bonded issuer. Bonded issuers need real inference and settlement discipline. |
Proof boundary
| Blueprint | Indexer can show | Product must still prove |
|---|---|---|
| AI Agent Sandbox | Blueprint registration, operator registration, service requests, jobs, source updates, and heartbeats. | Endpoint health, sandbox readiness, secret handling, TEE attestation, and sidecar capability support. |
| AI Trading | Blueprint registration, service instances, operator endpoints, jobs, pricing pointers, and heartbeats. | Bot health, paper/live mode, model spend, vault policy, trade execution, and validator status. |
| Surplus Market | Blueprint registration, operator registration, service instances, jobs, endpoints, and heartbeats. | Order-book correctness, fill settlement, credit redemption, attester quorum, SP1 proof path, and inference delivery. |
Operator preflight
Before advertising capacity:
- Build the operator binary and run the repo’s local smoke.
- Set persistent state, keystore, RPC, and public endpoint values.
- Register on the restaking layer if the blueprint requires stake.
- Register for the specific blueprint ID.
- Request or join a service instance.
- Hit the operator health endpoint from outside the host.
- Submit one real job or product action through the local or testnet path.
- Keep the command output, IDs, and transaction hashes in the PR or runbook.
“It builds” is not enough for an operator. A blueprint operator is real only after it can register, serve a service instance, and prove one non-mocked path.