[Bug]: Sandbox created in temp directory instead of user workspace

[louisdevzz]

Summary

Sandbox is created in temporary system directory (/var/folders/.../T/) instead of a user-managed workspace location, making it difficult to monitor, debug, and clean up sandbox environments.

Affected component

security/sandbox

Severity

S2 - degraded behavior

Current behavior

When ZeroBuild creates a local sandbox, it uses the system's temporary directory:

2026-03-04T18:15:14.336851Z  INFO zerobuild::sandbox::local: Local sandbox created at /var/folders/bp/6_t36vds31147b3mgpc3wjg40000gn/T/zerobuild-sandbox-cf971429-6ddd-4767-983d-4239f5aedf9a

This creates several problems:

1. Difficult to locate: The path is long, random, and varies by system
2. Hard to monitor: Users cannot easily check sandbox contents or disk usage
3. Cleanup issues: Temporary files may persist unexpectedly or be cleaned too aggressively by OS
4. Debugging difficulty: When issues occur, developers must hunt through system temp directories
5. No persistence control: Users cannot choose to preserve sandboxes for inspection

Expected behavior

Sandbox should be created in a user-accessible, predictable location within the ZeroBuild workspace:

~/.zerobuild/workspace/sandbox/

Or optionally configurable via environment variable or config:

$ZEROBUILD_SANDBOX_PATH/zerobuild-sandbox-{uuid}/

Benefits:

• Easy to find: Consistent location under user's home directory
• Simple monitoring: Users can check ~/.zerobuild/workspace/sandbox/ for active/past sandboxes
• Controlled cleanup: Users decide when to clean up, not the OS
• Better debugging: Easy to inspect sandbox contents when issues occur
• Persistence options: Can be configured to persist for debugging

Steps to reproduce

1. Run any ZeroBuild command that creates a sandbox (e.g., build, test)
2. Observe the sandbox creation log:

   zerobuild build

3. Check the sandbox location in logs - it will be in /var/folders/.../T/ on macOS or /tmp/ on Linux
4. Try to locate the sandbox directory manually - it's difficult due to random path

Impact

Affected users: All users of ZeroBuild sandbox functionality
Frequency: Every sandbox creation
Consequence:

• Developers waste time locating sandbox directories
• Hard to debug build issues when sandbox contents are hard to access
• Risk of orphaned sandboxes consuming disk space in temp directories
• Cannot easily implement sandbox persistence for debugging

Logs / stack traces

2026-03-04T18:15:14.336851Z  INFO zerobuild::sandbox::local: Local sandbox created at /var/folders/bp/6_t36vds31147b3mgpc3wjg40000gn/T/zerobuild-sandbox-cf971429-6ddd-4767-983d-4239f5aedf9a

ZeroBuild version

Latest main branch (2026-03-04)

Rust version

rustc 1.92.0

Operating system

macOS (but affects all platforms)

Regression?

No, first-time setup

Pre-flight checks

• I reproduced this on the latest main branch or latest release.
• I redacted secrets/tokens from logs.
• I removed personal identifiers and replaced identity-specific data with neutral placeholders.