Prototype with single host server and no admin panel (#2)

Reviewed-on: wrenn/sandbox#2 Co-authored-by: pptx704 <rafeed@omukk.dev> Co-committed-by: pptx704 <rafeed@omukk.dev>
2026-03-22 21:01:23 +00:00
parent bd78cc068c
commit 32e5a5a715
293 changed files with 46885 additions and 1033 deletions
--- a/internal/service/apikey.go
+++ b/internal/service/apikey.go
@ -0,0 +1,63 @@
+package service
+
+import (
+	"context"
+	"fmt"
+
+	"git.omukk.dev/wrenn/sandbox/internal/auth"
+	"git.omukk.dev/wrenn/sandbox/internal/db"
+	"git.omukk.dev/wrenn/sandbox/internal/id"
+)
+
+// APIKeyService provides API key operations shared between the REST API and the dashboard.
+type APIKeyService struct {
+	DB *db.Queries
+}
+
+// APIKeyCreateResult holds the result of creating an API key, including the
+// plaintext key which is only available at creation time.
+type APIKeyCreateResult struct {
+	Row       db.TeamApiKey
+	Plaintext string
+}
+
+// Create generates a new API key for the given team.
+func (s *APIKeyService) Create(ctx context.Context, teamID, userID, name string) (APIKeyCreateResult, error) {
+	if name == "" {
+		name = "Unnamed API Key"
+	}
+
+	plaintext, hash, err := auth.GenerateAPIKey()
+	if err != nil {
+		return APIKeyCreateResult{}, fmt.Errorf("generate key: %w", err)
+	}
+
+	row, err := s.DB.InsertAPIKey(ctx, db.InsertAPIKeyParams{
+		ID:        id.NewAPIKeyID(),
+		TeamID:    teamID,
+		Name:      name,
+		KeyHash:   hash,
+		KeyPrefix: auth.APIKeyPrefix(plaintext),
+		CreatedBy: userID,
+	})
+	if err != nil {
+		return APIKeyCreateResult{}, fmt.Errorf("insert key: %w", err)
+	}
+
+	return APIKeyCreateResult{Row: row, Plaintext: plaintext}, nil
+}
+
+// List returns all API keys belonging to the given team.
+func (s *APIKeyService) List(ctx context.Context, teamID string) ([]db.TeamApiKey, error) {
+	return s.DB.ListAPIKeysByTeam(ctx, teamID)
+}
+
+// ListWithCreator returns all API keys for the team, joined with the creator's email.
+func (s *APIKeyService) ListWithCreator(ctx context.Context, teamID string) ([]db.ListAPIKeysByTeamWithCreatorRow, error) {
+	return s.DB.ListAPIKeysByTeamWithCreator(ctx, teamID)
+}
+
+// Delete removes an API key by ID, scoped to the given team.
+func (s *APIKeyService) Delete(ctx context.Context, keyID, teamID string) error {
+	return s.DB.DeleteAPIKey(ctx, db.DeleteAPIKeyParams{ID: keyID, TeamID: teamID})
+}
--- a/internal/service/host.go
+++ b/internal/service/host.go
@ -0,0 +1,358 @@
+package service
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"log/slog"
+	"time"
+
+	"github.com/jackc/pgx/v5"
+	"github.com/jackc/pgx/v5/pgtype"
+	"github.com/redis/go-redis/v9"
+
+	"git.omukk.dev/wrenn/sandbox/internal/auth"
+	"git.omukk.dev/wrenn/sandbox/internal/db"
+	"git.omukk.dev/wrenn/sandbox/internal/id"
+)
+
+// HostService provides host management operations.
+type HostService struct {
+	DB    *db.Queries
+	Redis *redis.Client
+	JWT   []byte
+}
+
+// HostCreateParams holds the parameters for creating a host.
+type HostCreateParams struct {
+	Type             string
+	TeamID           string // required for BYOC, empty for regular
+	Provider         string
+	AvailabilityZone string
+	RequestingUserID string
+	IsRequestorAdmin bool
+}
+
+// HostCreateResult holds the created host and the one-time registration token.
+type HostCreateResult struct {
+	Host              db.Host
+	RegistrationToken string
+}
+
+// HostRegisterParams holds the parameters for host agent registration.
+type HostRegisterParams struct {
+	Token    string
+	Arch     string
+	CPUCores int32
+	MemoryMB int32
+	DiskGB   int32
+	Address  string
+}
+
+// HostRegisterResult holds the registered host and its long-lived JWT.
+type HostRegisterResult struct {
+	Host db.Host
+	JWT  string
+}
+
+// regTokenPayload is the JSON stored in Redis for registration tokens.
+type regTokenPayload struct {
+	HostID  string `json:"host_id"`
+	TokenID string `json:"token_id"`
+}
+
+const regTokenTTL = time.Hour
+
+// Create creates a new host record and generates a one-time registration token.
+func (s *HostService) Create(ctx context.Context, p HostCreateParams) (HostCreateResult, error) {
+	if p.Type != "regular" && p.Type != "byoc" {
+		return HostCreateResult{}, fmt.Errorf("invalid host type: must be 'regular' or 'byoc'")
+	}
+
+	if p.Type == "regular" {
+		if !p.IsRequestorAdmin {
+			return HostCreateResult{}, fmt.Errorf("forbidden: only admins can create regular hosts")
+		}
+	} else {
+		// BYOC: admin or team owner.
+		if p.TeamID == "" {
+			return HostCreateResult{}, fmt.Errorf("invalid request: team_id is required for BYOC hosts")
+		}
+		if !p.IsRequestorAdmin {
+			membership, err := s.DB.GetTeamMembership(ctx, db.GetTeamMembershipParams{
+				UserID: p.RequestingUserID,
+				TeamID: p.TeamID,
+			})
+			if errors.Is(err, pgx.ErrNoRows) {
+				return HostCreateResult{}, fmt.Errorf("forbidden: not a member of the specified team")
+			}
+			if err != nil {
+				return HostCreateResult{}, fmt.Errorf("check team membership: %w", err)
+			}
+			if membership.Role != "owner" {
+				return HostCreateResult{}, fmt.Errorf("forbidden: only team owners can create BYOC hosts")
+			}
+		}
+	}
+
+	// Validate team exists for BYOC hosts.
+	if p.TeamID != "" {
+		if _, err := s.DB.GetTeam(ctx, p.TeamID); err != nil {
+			return HostCreateResult{}, fmt.Errorf("invalid request: team not found")
+		}
+	}
+
+	hostID := id.NewHostID()
+
+	var teamID pgtype.Text
+	if p.TeamID != "" {
+		teamID = pgtype.Text{String: p.TeamID, Valid: true}
+	}
+	var provider pgtype.Text
+	if p.Provider != "" {
+		provider = pgtype.Text{String: p.Provider, Valid: true}
+	}
+	var az pgtype.Text
+	if p.AvailabilityZone != "" {
+		az = pgtype.Text{String: p.AvailabilityZone, Valid: true}
+	}
+
+	host, err := s.DB.InsertHost(ctx, db.InsertHostParams{
+		ID:               hostID,
+		Type:             p.Type,
+		TeamID:           teamID,
+		Provider:         provider,
+		AvailabilityZone: az,
+		CreatedBy:        p.RequestingUserID,
+	})
+	if err != nil {
+		return HostCreateResult{}, fmt.Errorf("insert host: %w", err)
+	}
+
+	// Generate registration token and store in Redis + Postgres audit trail.
+	token := id.NewRegistrationToken()
+	tokenID := id.NewHostTokenID()
+
+	payload, _ := json.Marshal(regTokenPayload{
+		HostID:  hostID,
+		TokenID: tokenID,
+	})
+	if err := s.Redis.Set(ctx, "host:reg:"+token, payload, regTokenTTL).Err(); err != nil {
+		return HostCreateResult{}, fmt.Errorf("store registration token: %w", err)
+	}
+
+	now := time.Now()
+	if _, err := s.DB.InsertHostToken(ctx, db.InsertHostTokenParams{
+		ID:        tokenID,
+		HostID:    hostID,
+		CreatedBy: p.RequestingUserID,
+		ExpiresAt: pgtype.Timestamptz{Time: now.Add(regTokenTTL), Valid: true},
+	}); err != nil {
+		slog.Warn("failed to insert host token audit record", "host_id", hostID, "error", err)
+	}
+
+	return HostCreateResult{Host: host, RegistrationToken: token}, nil
+}
+
+// RegenerateToken issues a new registration token for a host still in "pending"
+// status. This allows retry when a previous registration attempt failed after
+// the original token was consumed.
+func (s *HostService) RegenerateToken(ctx context.Context, hostID, userID, teamID string, isAdmin bool) (HostCreateResult, error) {
+	host, err := s.DB.GetHost(ctx, hostID)
+	if err != nil {
+		return HostCreateResult{}, fmt.Errorf("host not found: %w", err)
+	}
+	if host.Status != "pending" {
+		return HostCreateResult{}, fmt.Errorf("invalid state: can only regenerate token for pending hosts (status: %s)", host.Status)
+	}
+
+	// Same permission model as Create/Delete.
+	if !isAdmin {
+		if host.Type != "byoc" {
+			return HostCreateResult{}, fmt.Errorf("forbidden: only admins can manage regular hosts")
+		}
+		if !host.TeamID.Valid || host.TeamID.String != teamID {
+			return HostCreateResult{}, fmt.Errorf("forbidden: host does not belong to your team")
+		}
+		membership, err := s.DB.GetTeamMembership(ctx, db.GetTeamMembershipParams{
+			UserID: userID,
+			TeamID: teamID,
+		})
+		if errors.Is(err, pgx.ErrNoRows) {
+			return HostCreateResult{}, fmt.Errorf("forbidden: not a member of the specified team")
+		}
+		if err != nil {
+			return HostCreateResult{}, fmt.Errorf("check team membership: %w", err)
+		}
+		if membership.Role != "owner" {
+			return HostCreateResult{}, fmt.Errorf("forbidden: only team owners can regenerate tokens")
+		}
+	}
+
+	token := id.NewRegistrationToken()
+	tokenID := id.NewHostTokenID()
+
+	payload, _ := json.Marshal(regTokenPayload{
+		HostID:  hostID,
+		TokenID: tokenID,
+	})
+	if err := s.Redis.Set(ctx, "host:reg:"+token, payload, regTokenTTL).Err(); err != nil {
+		return HostCreateResult{}, fmt.Errorf("store registration token: %w", err)
+	}
+
+	now := time.Now()
+	if _, err := s.DB.InsertHostToken(ctx, db.InsertHostTokenParams{
+		ID:        tokenID,
+		HostID:    hostID,
+		CreatedBy: userID,
+		ExpiresAt: pgtype.Timestamptz{Time: now.Add(regTokenTTL), Valid: true},
+	}); err != nil {
+		slog.Warn("failed to insert host token audit record", "host_id", hostID, "error", err)
+	}
+
+	return HostCreateResult{Host: host, RegistrationToken: token}, nil
+}
+
+// Register validates a one-time registration token, updates the host with
+// machine specs, and returns a long-lived host JWT.
+func (s *HostService) Register(ctx context.Context, p HostRegisterParams) (HostRegisterResult, error) {
+	// Atomic consume: GetDel returns the value and deletes in one operation,
+	// preventing concurrent requests from consuming the same token.
+	raw, err := s.Redis.GetDel(ctx, "host:reg:"+p.Token).Bytes()
+	if err == redis.Nil {
+		return HostRegisterResult{}, fmt.Errorf("invalid or expired registration token")
+	}
+	if err != nil {
+		return HostRegisterResult{}, fmt.Errorf("token lookup: %w", err)
+	}
+
+	var payload regTokenPayload
+	if err := json.Unmarshal(raw, &payload); err != nil {
+		return HostRegisterResult{}, fmt.Errorf("corrupted registration token")
+	}
+
+	if _, err := s.DB.GetHost(ctx, payload.HostID); err != nil {
+		return HostRegisterResult{}, fmt.Errorf("host not found: %w", err)
+	}
+
+	// Sign JWT before mutating DB — if signing fails, the host stays pending.
+	hostJWT, err := auth.SignHostJWT(s.JWT, payload.HostID)
+	if err != nil {
+		return HostRegisterResult{}, fmt.Errorf("sign host token: %w", err)
+	}
+
+	// Atomically update only if still pending (defense-in-depth against races).
+	rowsAffected, err := s.DB.RegisterHost(ctx, db.RegisterHostParams{
+		ID:       payload.HostID,
+		Arch:     pgtype.Text{String: p.Arch, Valid: p.Arch != ""},
+		CpuCores: pgtype.Int4{Int32: p.CPUCores, Valid: p.CPUCores > 0},
+		MemoryMb: pgtype.Int4{Int32: p.MemoryMB, Valid: p.MemoryMB > 0},
+		DiskGb:   pgtype.Int4{Int32: p.DiskGB, Valid: p.DiskGB > 0},
+		Address:  pgtype.Text{String: p.Address, Valid: p.Address != ""},
+	})
+	if err != nil {
+		return HostRegisterResult{}, fmt.Errorf("register host: %w", err)
+	}
+	if rowsAffected == 0 {
+		return HostRegisterResult{}, fmt.Errorf("host already registered or not found")
+	}
+
+	// Mark audit trail.
+	if err := s.DB.MarkHostTokenUsed(ctx, payload.TokenID); err != nil {
+		slog.Warn("failed to mark host token used", "token_id", payload.TokenID, "error", err)
+	}
+
+	// Re-fetch the host to get the updated state.
+	host, err := s.DB.GetHost(ctx, payload.HostID)
+	if err != nil {
+		return HostRegisterResult{}, fmt.Errorf("fetch updated host: %w", err)
+	}
+
+	return HostRegisterResult{Host: host, JWT: hostJWT}, nil
+}
+
+// Heartbeat updates the last heartbeat timestamp for a host.
+func (s *HostService) Heartbeat(ctx context.Context, hostID string) error {
+	return s.DB.UpdateHostHeartbeat(ctx, hostID)
+}
+
+// List returns hosts visible to the caller.
+// Admins see all hosts; non-admins see only BYOC hosts belonging to their team.
+func (s *HostService) List(ctx context.Context, teamID string, isAdmin bool) ([]db.Host, error) {
+	if isAdmin {
+		return s.DB.ListHosts(ctx)
+	}
+	return s.DB.ListHostsByTeam(ctx, pgtype.Text{String: teamID, Valid: true})
+}
+
+// Get returns a single host, enforcing access control.
+func (s *HostService) Get(ctx context.Context, hostID, teamID string, isAdmin bool) (db.Host, error) {
+	host, err := s.DB.GetHost(ctx, hostID)
+	if err != nil {
+		return db.Host{}, fmt.Errorf("host not found: %w", err)
+	}
+	if !isAdmin {
+		if !host.TeamID.Valid || host.TeamID.String != teamID {
+			return db.Host{}, fmt.Errorf("host not found")
+		}
+	}
+	return host, nil
+}
+
+// Delete removes a host. Admins can delete any host. Team owners can delete
+// BYOC hosts belonging to their team.
+func (s *HostService) Delete(ctx context.Context, hostID, userID, teamID string, isAdmin bool) error {
+	host, err := s.DB.GetHost(ctx, hostID)
+	if err != nil {
+		return fmt.Errorf("host not found: %w", err)
+	}
+
+	if !isAdmin {
+		if host.Type != "byoc" {
+			return fmt.Errorf("forbidden: only admins can delete regular hosts")
+		}
+		if !host.TeamID.Valid || host.TeamID.String != teamID {
+			return fmt.Errorf("forbidden: host does not belong to your team")
+		}
+		membership, err := s.DB.GetTeamMembership(ctx, db.GetTeamMembershipParams{
+			UserID: userID,
+			TeamID: teamID,
+		})
+		if errors.Is(err, pgx.ErrNoRows) {
+			return fmt.Errorf("forbidden: not a member of the specified team")
+		}
+		if err != nil {
+			return fmt.Errorf("check team membership: %w", err)
+		}
+		if membership.Role != "owner" {
+			return fmt.Errorf("forbidden: only team owners can delete BYOC hosts")
+		}
+	}
+
+	return s.DB.DeleteHost(ctx, hostID)
+}
+
+// AddTag adds a tag to a host.
+func (s *HostService) AddTag(ctx context.Context, hostID, teamID string, isAdmin bool, tag string) error {
+	if _, err := s.Get(ctx, hostID, teamID, isAdmin); err != nil {
+		return err
+	}
+	return s.DB.AddHostTag(ctx, db.AddHostTagParams{HostID: hostID, Tag: tag})
+}
+
+// RemoveTag removes a tag from a host.
+func (s *HostService) RemoveTag(ctx context.Context, hostID, teamID string, isAdmin bool, tag string) error {
+	if _, err := s.Get(ctx, hostID, teamID, isAdmin); err != nil {
+		return err
+	}
+	return s.DB.RemoveHostTag(ctx, db.RemoveHostTagParams{HostID: hostID, Tag: tag})
+}
+
+// ListTags returns all tags for a host.
+func (s *HostService) ListTags(ctx context.Context, hostID, teamID string, isAdmin bool) ([]string, error) {
+	if _, err := s.Get(ctx, hostID, teamID, isAdmin); err != nil {
+		return nil, err
+	}
+	return s.DB.GetHostTags(ctx, hostID)
+}
--- a/internal/service/sandbox.go
+++ b/internal/service/sandbox.go
@ -0,0 +1,225 @@
+package service
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"time"
+
+	"connectrpc.com/connect"
+	"github.com/jackc/pgx/v5/pgtype"
+
+	"git.omukk.dev/wrenn/sandbox/internal/db"
+	"git.omukk.dev/wrenn/sandbox/internal/id"
+	"git.omukk.dev/wrenn/sandbox/internal/validate"
+	pb "git.omukk.dev/wrenn/sandbox/proto/hostagent/gen"
+	"git.omukk.dev/wrenn/sandbox/proto/hostagent/gen/hostagentv1connect"
+)
+
+// SandboxService provides sandbox lifecycle operations shared between the
+// REST API and the dashboard.
+type SandboxService struct {
+	DB    *db.Queries
+	Agent hostagentv1connect.HostAgentServiceClient
+}
+
+// SandboxCreateParams holds the parameters for creating a sandbox.
+type SandboxCreateParams struct {
+	TeamID     string
+	Template   string
+	VCPUs      int32
+	MemoryMB   int32
+	TimeoutSec int32
+}
+
+// Create creates a new sandbox: inserts a pending DB record, calls the host agent,
+// and updates the record to running. Returns the sandbox DB row.
+func (s *SandboxService) Create(ctx context.Context, p SandboxCreateParams) (db.Sandbox, error) {
+	if p.Template == "" {
+		p.Template = "minimal"
+	}
+	if err := validate.SafeName(p.Template); err != nil {
+		return db.Sandbox{}, fmt.Errorf("invalid template name: %w", err)
+	}
+	if p.VCPUs <= 0 {
+		p.VCPUs = 1
+	}
+	if p.MemoryMB <= 0 {
+		p.MemoryMB = 512
+	}
+
+	// If the template is a snapshot, use its baked-in vcpus/memory.
+	if tmpl, err := s.DB.GetTemplateByTeam(ctx, db.GetTemplateByTeamParams{Name: p.Template, TeamID: p.TeamID}); err == nil && tmpl.Type == "snapshot" {
+		if tmpl.Vcpus.Valid {
+			p.VCPUs = tmpl.Vcpus.Int32
+		}
+		if tmpl.MemoryMb.Valid {
+			p.MemoryMB = tmpl.MemoryMb.Int32
+		}
+	}
+
+	sandboxID := id.NewSandboxID()
+
+	if _, err := s.DB.InsertSandbox(ctx, db.InsertSandboxParams{
+		ID:         sandboxID,
+		TeamID:     p.TeamID,
+		HostID:     "default",
+		Template:   p.Template,
+		Status:     "pending",
+		Vcpus:      p.VCPUs,
+		MemoryMb:   p.MemoryMB,
+		TimeoutSec: p.TimeoutSec,
+	}); err != nil {
+		return db.Sandbox{}, fmt.Errorf("insert sandbox: %w", err)
+	}
+
+	resp, err := s.Agent.CreateSandbox(ctx, connect.NewRequest(&pb.CreateSandboxRequest{
+		SandboxId:  sandboxID,
+		Template:   p.Template,
+		Vcpus:      p.VCPUs,
+		MemoryMb:   p.MemoryMB,
+		TimeoutSec: p.TimeoutSec,
+	}))
+	if err != nil {
+		if _, dbErr := s.DB.UpdateSandboxStatus(ctx, db.UpdateSandboxStatusParams{
+			ID: sandboxID, Status: "error",
+		}); dbErr != nil {
+			slog.Warn("failed to update sandbox status to error", "id", sandboxID, "error", dbErr)
+		}
+		return db.Sandbox{}, fmt.Errorf("agent create: %w", err)
+	}
+
+	now := time.Now()
+	sb, err := s.DB.UpdateSandboxRunning(ctx, db.UpdateSandboxRunningParams{
+		ID:      sandboxID,
+		HostIp:  resp.Msg.HostIp,
+		GuestIp: "",
+		StartedAt: pgtype.Timestamptz{
+			Time:  now,
+			Valid: true,
+		},
+	})
+	if err != nil {
+		return db.Sandbox{}, fmt.Errorf("update sandbox running: %w", err)
+	}
+
+	return sb, nil
+}
+
+// List returns active sandboxes (excludes stopped/error) belonging to the given team.
+func (s *SandboxService) List(ctx context.Context, teamID string) ([]db.Sandbox, error) {
+	return s.DB.ListSandboxesByTeam(ctx, teamID)
+}
+
+// Get returns a single sandbox by ID, scoped to the given team.
+func (s *SandboxService) Get(ctx context.Context, sandboxID, teamID string) (db.Sandbox, error) {
+	return s.DB.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: teamID})
+}
+
+// Pause snapshots and freezes a running sandbox to disk.
+func (s *SandboxService) Pause(ctx context.Context, sandboxID, teamID string) (db.Sandbox, error) {
+	sb, err := s.DB.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: teamID})
+	if err != nil {
+		return db.Sandbox{}, fmt.Errorf("sandbox not found: %w", err)
+	}
+	if sb.Status != "running" {
+		return db.Sandbox{}, fmt.Errorf("sandbox is not running (status: %s)", sb.Status)
+	}
+
+	if _, err := s.Agent.PauseSandbox(ctx, connect.NewRequest(&pb.PauseSandboxRequest{
+		SandboxId: sandboxID,
+	})); err != nil {
+		return db.Sandbox{}, fmt.Errorf("agent pause: %w", err)
+	}
+
+	sb, err = s.DB.UpdateSandboxStatus(ctx, db.UpdateSandboxStatusParams{
+		ID: sandboxID, Status: "paused",
+	})
+	if err != nil {
+		return db.Sandbox{}, fmt.Errorf("update status: %w", err)
+	}
+	return sb, nil
+}
+
+// Resume restores a paused sandbox from snapshot.
+func (s *SandboxService) Resume(ctx context.Context, sandboxID, teamID string) (db.Sandbox, error) {
+	sb, err := s.DB.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: teamID})
+	if err != nil {
+		return db.Sandbox{}, fmt.Errorf("sandbox not found: %w", err)
+	}
+	if sb.Status != "paused" {
+		return db.Sandbox{}, fmt.Errorf("sandbox is not paused (status: %s)", sb.Status)
+	}
+
+	resp, err := s.Agent.ResumeSandbox(ctx, connect.NewRequest(&pb.ResumeSandboxRequest{
+		SandboxId:  sandboxID,
+		TimeoutSec: sb.TimeoutSec,
+	}))
+	if err != nil {
+		return db.Sandbox{}, fmt.Errorf("agent resume: %w", err)
+	}
+
+	now := time.Now()
+	sb, err = s.DB.UpdateSandboxRunning(ctx, db.UpdateSandboxRunningParams{
+		ID:      sandboxID,
+		HostIp:  resp.Msg.HostIp,
+		GuestIp: "",
+		StartedAt: pgtype.Timestamptz{
+			Time:  now,
+			Valid: true,
+		},
+	})
+	if err != nil {
+		return db.Sandbox{}, fmt.Errorf("update status: %w", err)
+	}
+	return sb, nil
+}
+
+// Destroy stops a sandbox and marks it as stopped.
+func (s *SandboxService) Destroy(ctx context.Context, sandboxID, teamID string) error {
+	if _, err := s.DB.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: teamID}); err != nil {
+		return fmt.Errorf("sandbox not found: %w", err)
+	}
+
+	// Destroy on host agent. A not-found response is fine — sandbox is already gone.
+	if _, err := s.Agent.DestroySandbox(ctx, connect.NewRequest(&pb.DestroySandboxRequest{
+		SandboxId: sandboxID,
+	})); err != nil && connect.CodeOf(err) != connect.CodeNotFound {
+		return fmt.Errorf("agent destroy: %w", err)
+	}
+
+	if _, err := s.DB.UpdateSandboxStatus(ctx, db.UpdateSandboxStatusParams{
+		ID: sandboxID, Status: "stopped",
+	}); err != nil {
+		return fmt.Errorf("update status: %w", err)
+	}
+	return nil
+}
+
+// Ping resets the inactivity timer for a running sandbox.
+func (s *SandboxService) Ping(ctx context.Context, sandboxID, teamID string) error {
+	sb, err := s.DB.GetSandboxByTeam(ctx, db.GetSandboxByTeamParams{ID: sandboxID, TeamID: teamID})
+	if err != nil {
+		return fmt.Errorf("sandbox not found: %w", err)
+	}
+	if sb.Status != "running" {
+		return fmt.Errorf("sandbox is not running (status: %s)", sb.Status)
+	}
+
+	if _, err := s.Agent.PingSandbox(ctx, connect.NewRequest(&pb.PingSandboxRequest{
+		SandboxId: sandboxID,
+	})); err != nil {
+		return fmt.Errorf("agent ping: %w", err)
+	}
+
+	if err := s.DB.UpdateLastActive(ctx, db.UpdateLastActiveParams{
+		ID: sandboxID,
+		LastActiveAt: pgtype.Timestamptz{
+			Time:  time.Now(),
+			Valid: true,
+		},
+	}); err != nil {
+		slog.Warn("ping: failed to update last_active_at", "sandbox_id", sandboxID, "error", err)
+	}
+	return nil
+}
--- a/internal/service/template.go
+++ b/internal/service/template.go
@ -0,0 +1,25 @@
+package service
+
+import (
+	"context"
+
+	"git.omukk.dev/wrenn/sandbox/internal/db"
+)
+
+// TemplateService provides template/snapshot operations shared between the
+// REST API and the dashboard.
+type TemplateService struct {
+	DB *db.Queries
+}
+
+// List returns all templates belonging to the given team. If typeFilter is
+// non-empty, only templates of that type ("base" or "snapshot") are returned.
+func (s *TemplateService) List(ctx context.Context, teamID, typeFilter string) ([]db.Template, error) {
+	if typeFilter != "" {
+		return s.DB.ListTemplatesByTeamAndType(ctx, db.ListTemplatesByTeamAndTypeParams{
+			TeamID: teamID,
+			Type:   typeFilter,
+		})
+	}
+	return s.DB.ListTemplatesByTeam(ctx, teamID)
+}