Skip to main content

adk_sandbox/
lib.rs

1//! # adk-sandbox
2//!
3//! Isolated code execution runtime for ADK agents.
4//!
5//! This crate provides the [`SandboxBackend`] trait and two implementations:
6//!
7//! - **`ProcessBackend`** (default feature `process`): Executes code in child
8//!   processes via `tokio::process::Command`. Enforces timeout and environment
9//!   isolation but not memory or network isolation.
10//!
11//! - **`WasmBackend`** (feature `wasm`): Executes WebAssembly modules in-process
12//!   via `wasmtime`. Enforces timeout, memory limits, and full sandboxing (no
13//!   filesystem or network access).
14//!
15//! ## Quick Start
16//!
17//! ```rust,ignore
18//! use adk_sandbox::{ProcessBackend, ExecRequest, Language};
19//! use std::time::Duration;
20//! use std::collections::HashMap;
21//!
22//! let backend = ProcessBackend::default();
23//! let request = ExecRequest {
24//!     language: Language::Python,
25//!     code: "print('hello')".to_string(),
26//!     stdin: None,
27//!     timeout: Duration::from_secs(30),
28//!     memory_limit_mb: None,
29//!     env: HashMap::new(),
30//! };
31//! let result = backend.execute(request).await?;
32//! println!("stdout: {}", result.stdout);
33//! ```
34//!
35//! ## Feature Flags
36//!
37//! | Feature   | Description                          | Default |
38//! |-----------|--------------------------------------|---------|
39//! | `process` | Subprocess execution via tokio       | ✅      |
40//! | `wasm`    | In-process WASM execution via wasmtime | ❌    |
41
42pub mod backend;
43pub mod error;
44pub mod sandbox;
45pub mod tool;
46pub mod types;
47
48// Feature-gated modules
49#[cfg(feature = "process")]
50pub mod process;
51
52#[cfg(feature = "wasm")]
53pub mod wasm;
54
55// Public re-exports
56pub use backend::{BackendCapabilities, EnforcedLimits, SandboxBackend};
57pub use error::SandboxError;
58pub use sandbox::{
59    AccessMode, AllowedPath, NetworkRule, SandboxEnforcer, SandboxPolicy, SandboxPolicyBuilder,
60    WrappedCommand, get_enforcer,
61};
62pub use tool::SandboxTool;
63pub use types::{ExecRequest, ExecResult, Language};
64
65#[cfg(feature = "process")]
66pub use process::{ProcessBackend, ProcessConfig};
67
68#[cfg(feature = "wasm")]
69pub use wasm::WasmBackend;
70
71// Platform-specific enforcer re-exports for sandbox-native convenience
72#[cfg(all(feature = "sandbox-native", target_os = "macos"))]
73pub use sandbox::macos::MacOsEnforcer;
74
75#[cfg(all(feature = "sandbox-native", target_os = "linux"))]
76pub use sandbox::linux::LinuxEnforcer;
77
78#[cfg(all(feature = "sandbox-native", target_os = "windows"))]
79pub use sandbox::windows::WindowsEnforcer;