Skip to main content

Crate agent_bridle_tool_shell

Crate agent_bridle_tool_shell 

Source
Expand description

agent-bridle-tool-shell — capability-confined shell tool (argv + safe-subset engine).

Per ADR 0005 the object-capability boundary is L3 (kernel) and this crate is the L2 convenience engine: agent-bridle is the exec funnel, parsing each request itself ([crate::parse]) and running only what it can confine. ShellTool accepts either argv form (program + args) or a free-form cmd string, checks the exec/fs leash, spawns the program directly, and refuses the dynamic constructs by design ($(...), backticks, subshells — the undecidable interiors of ADR 0001). The L3 backstop is wired (agent-bridle#35): when it will actually confine the run — today the Landlock fs_write axis on a capable Linux build with fs_write restricted — children spawn inside a kernel-enforced ruleset and sandbox_kind reports agent_bridle_core::SandboxKind::Landlock; else the run is honestly advisory with agent_bridle_core::SandboxKind::None (I9, never overclaiming). Read/exec/net axes + macOS/Windows backends are follow-ups (ADR 0006).

The engine (agent-bridle#34 Track A + #45): a sequence of pipelines joined by &&/||/; (short-circuit semantics), each pipeline simple commands with quoted arguments, redirections (> out, >> out, < in, 2> err, 2>&1), filename globbing (*/?/[…]) and allowlisted $VAR expansion — every filesystem/env touch bridle performs (redirect opens, glob directory listings, variable allowlist) is leash-/policy-checked before any spawn. The dynamic constructs ($(…), backticks, subshells) stay refused by design. The process spawning is behind a Spawner seam (mocked in unit tests; real path in tests/real_spawn.rs). brush-bridle-core remains the deferred, reversible full-bash alternative engine behind the same registry seam (ADR 0005 D4 — tracked on agent-bridle#20).

Structs§

JsonlSink
Network egress audit surface (#124, ADR 0016): the loopback proxy records every proxy-visible connection as a NetAuditEvent through an AuditSink (default off; enable via the BRIDLE_NET_AUDIT setting). The bridle-netmon binary renders the JSON-lines stream as a live monitor. Append each event as one JSON line to a Write (a file, stderr, a pipe).
NetAuditEvent
Network egress audit surface (#124, ADR 0016): the loopback proxy records every proxy-visible connection as a NetAuditEvent through an AuditSink (default off; enable via the BRIDLE_NET_AUDIT setting). The bridle-netmon binary renders the JSON-lines stream as a live monitor. One audited egress connection through the proxy — a complete record of the child’s proxy-visible network activity (#124, ADR 0016). Serialised as one JSON line by JsonlSink; the bridle-netmon binary renders a live view.
NullSink
Network egress audit surface (#124, ADR 0016): the loopback proxy records every proxy-visible connection as a NetAuditEvent through an AuditSink (default off; enable via the BRIDLE_NET_AUDIT setting). The bridle-netmon binary renders the JSON-lines stream as a live monitor. The default sink — discard everything (audit off, zero overhead).
ShellTool
The confined shell tool.

Enums§

NetDecision
Network egress audit surface (#124, ADR 0016): the loopback proxy records every proxy-visible connection as a NetAuditEvent through an AuditSink (default off; enable via the BRIDLE_NET_AUDIT setting). The bridle-netmon binary renders the JSON-lines stream as a live monitor. The proxy’s allow-list decision for one connection.
NetKind
Network egress audit surface (#124, ADR 0016): the loopback proxy records every proxy-visible connection as a NetAuditEvent through an AuditSink (default off; enable via the BRIDLE_NET_AUDIT setting). The bridle-netmon binary renders the JSON-lines stream as a live monitor. The kind of egress a child requested through the proxy.

Traits§

AuditSink
Network egress audit surface (#124, ADR 0016): the loopback proxy records every proxy-visible connection as a NetAuditEvent through an AuditSink (default off; enable via the BRIDLE_NET_AUDIT setting). The bridle-netmon binary renders the JSON-lines stream as a live monitor. A destination for NetAuditEvents — the operator’s audit trail. record is called from a per-connection thread, so implementations must be thread-safe and must never block the connection for long.