sandboxset: thread-safe sandbox pool (issue #217)

Problem

LambdaInstance uses one goroutine per sandbox, sitting idle on channels
between requests. A SandboxSet replaces that with a mutex-protected pool —
callers just ask for a sandbox and don't worry about whether it's new or
reused.

API

GetOrCreateUnpaused returns a *SandboxRef — a handle that wraps the
sandbox with a health state and back-pointer to its parent set. The caller
uses ref.Sandbox() to access the container, then calls ref.Put() or
ref.Destroy() when done.

set, _ := sandboxset.New(&sandboxset.Config{
    Pool:        myPool,
    CodeDir:     "/path/to/lambda",
    ScratchDirs: myScratchDirs,
})

ref, _ := set.GetOrCreateUnpaused()   // create or reuse a sandbox
sb := ref.Sandbox()                    // access the underlying container
// ... handle request using sb.Client() ...

if broken {
    ref.Destroy("reason")             // kill a broken sandbox
} else {
    ref.Put()                          // return it to the pool
}

set.Close()                            // tear down everything

Set-level Put(sb) and Destroy(sb, reason) methods are also available
for callers that have a raw sandbox.Sandbox instead of a SandboxRef.

SandboxRef

type SandboxRef struct {
    State SandboxState  // StateReady or StateBroken
}

func (r *SandboxRef) Sandbox() sandbox.Sandbox  // access the container
func (r *SandboxRef) Put() error                 // return to pool
func (r *SandboxRef) Destroy(reason string) error // destroy and remove

Flow

     [created]
         |
         v
     [paused]  <---+
         |         |
         v         |
     [in-use]  ----+  (Put)
         |
         v
   [destroyed]     (Destroy / Close / error)

• GetOrCreateUnpaused claims an idle sandbox and unpauses it. If the
  container died while paused, it is destroyed and the next idle one is
  tried. If no idle sandbox exists, a new one is created via
  SandboxPool.Create. Returns a *SandboxRef with State: StateReady.
• Put pauses the sandbox and returns it to the pool. If Pause fails,
  the sandbox is destroyed — a bad sandbox never re-enters the pool.
• Destroy removes a sandbox from the pool and frees its resources.
  The sandbox is always destroyed even if it wasn't in the pool.
• Close destroys all sandboxes. Callers still holding references
  will find them already dead, which is safe per the Sandbox contract.

Edge cases handled

• Mass unpause failure: GetOrCreateUnpaused loops (not recursion)
  over idle sandboxes, destroying dead ones until a live one is found or
  a new one is created. No stack-growth risk.
• DirMaker panic: DirMaker.Make panics on disk-full.
  makeScratchDir() wraps it in defer/recover and returns an error.
• Put after Close: Returns a clear error message indicating the set
  was closed, rather than a confusing "Pause failed" error.

File structure

go/worker/sandboxset/
    api.go           — SandboxSet interface, Config, New()
    sandboxset.go    — All implementation: types + methods
    tests/
        sandboxset_test.go              — Unit tests (MockSandboxPool)
        sandboxset_integration_test.go  — Integration tests (real DockerPool)

Dependencies

sandboxset is a thin layer on top of sandbox — no new abstractions:

sandboxset
    │
    ├── sandbox.Sandbox      (4 of 11 methods used: ID, Pause, Unpause, Destroy)
    ├── sandbox.SandboxPool  (1 method used: Create)
    ├── sandbox.SandboxMeta  (passed through to Create, never read)
    └── common.DirMaker      (1 method used: Make)

The dependency is one-way: sandboxset imports sandbox, never the reverse.

Testing

• Unit tests (22 tests): Use MockSandboxPool from sandbox/mock.go.
  Fast, no Docker needed, test all pool logic and concurrency.

  cd go && go test ./worker/sandboxset/tests/ -v -race -count=1
  

• Integration tests (4 tests): Use real DockerPool with ol-min
  image. Gated with //go:build integration. Verify real containers are
  created, paused, unpaused, and destroyed.

  cd go && sudo env "PATH=$PATH" go test ./worker/sandboxset/tests/ -v -tags=integration -count=1
  

What this PR does NOT do

• LambdaInstance goroutines are unchanged — that is Step 2
• No capacity management (Warm/Shrink) or metrics — later PRs

Next steps

• Step 2: Replace LambdaInstance goroutines with a SandboxSet
• Step 3: Use SandboxSet as the node in the zygote tree