## ADDED Requirements

### Requirement: Sandbox creation

The system SHALL provide a `Sandbox.create()` static method that provisions a new isolated compute environment.

Parameters:
- `name?: string` — optional human-readable name
- `source?: { type: "git" | "tarball" | "snapshot" }` — source for initial filesystem
- `ports?: number[]` — ports to expose (max 4)
- `timeout?: number` — auto-terminate timeout in ms
- `resources?: { vcpus: number }` — CPU allocation (2048 MB RAM per vCPU)
- `runtime?: string` — runtime identifier
- `networkPolicy?: NetworkPolicy` — network restrictions
- `env?: Record<string, string>` — default environment variables
- `tags?: Record<string, string>` — metadata tags (max 5)
- `persistent?: boolean` — persistent filesystem across sessions
- `signal?: AbortSignal` — cancellation support

#### Scenario: Create returns a running Sandbox instance

- **WHEN** `Sandbox.create()` is called with valid parameters
- **THEN** it SHALL return a `Sandbox` instance with a running session

#### Scenario: Create supports AsyncDisposable

- **WHEN** `Sandbox.create()` is used with `await using`
- **THEN** the sandbox SHALL be automatically stopped when scope exits

#### Scenario: Source specifies initial filesystem content

- **WHEN** `source: { type: "git", url: "..." }` is provided
- **THEN** the sandbox SHALL clone the git repository on creation

### Requirement: Sandbox retrieval

The system SHALL provide `Sandbox.get()` to retrieve an existing sandbox and `Sandbox.getOrCreate()` for idempotent get-or-create.

#### Scenario: Get retrieves existing sandbox

- **WHEN** `Sandbox.get({ name: "my-sandbox" })` is called for an existing sandbox
- **THEN** it SHALL return the sandbox with its session resumed

#### Scenario: GetOrCreate creates when not found

- **WHEN** `Sandbox.getOrCreate({ name: "new-sandbox", onCreate: ... })` is called and sandbox doesn't exist
- **THEN** it SHALL create a new sandbox and call `onCreate` once

### Requirement: Sandbox forking

The system SHALL provide `Sandbox.fork()` to create a new sandbox from an existing one's current filesystem state.

#### Scenario: Fork preserves filesystem state

- **WHEN** `Sandbox.fork({ sourceSandbox: "original" })` is called
- **THEN** the new sandbox SHALL start with the filesystem state of the source sandbox

### Requirement: Sandbox update and delete

The system SHALL support `sandbox.update()` for configuration changes and `sandbox.delete()` for removal.

#### Scenario: Update changes sandbox config

- **WHEN** `sandbox.update({ timeout: 300000 })` is called
- **THEN** the sandbox's timeout SHALL be updated for subsequent sessions

#### Scenario: Delete removes the sandbox

- **WHEN** `sandbox.delete()` is called
- **THEN** the sandbox SHALL be permanently removed