Expand description
agent-bridle-tool-shell — capability-confined shell tool (argv + safe-subset engine).
Per ADR 0005 the object-capability boundary is L3 (kernel) and this
crate is the L2 convenience engine: agent-bridle is the exec funnel,
parsing each request itself ([crate::parse]) and running only what it can
confine. ShellTool accepts either argv form (program + args) or a
free-form cmd string, checks the exec/fs leash, spawns the program
directly, and refuses the dynamic constructs by design ($(...),
backticks, subshells — the undecidable interiors of ADR 0001). The L3
backstop is wired (agent-bridle#35): when it will actually confine the run —
today the Landlock fs_write axis on a capable Linux build with fs_write
restricted — children spawn inside a kernel-enforced ruleset and
sandbox_kind reports agent_bridle_core::SandboxKind::Landlock; else the
run is honestly advisory with agent_bridle_core::SandboxKind::None
(I9, never overclaiming). Read/exec/net axes + macOS/Windows backends are
follow-ups (ADR 0006).
The engine (agent-bridle#34 Track A + #45): a sequence of pipelines joined by
&&/||/; (short-circuit semantics), each pipeline simple commands with
quoted arguments, redirections (> out, >> out, < in, 2> err,
2>&1), filename globbing (*/?/[…]) and allowlisted $VAR
expansion — every filesystem/env touch bridle performs (redirect opens,
glob directory listings, variable allowlist) is leash-/policy-checked before
any spawn. The dynamic constructs ($(…), backticks, subshells) stay refused
by design. The process spawning is behind a Spawner seam (mocked in unit
tests; real path in tests/real_spawn.rs). brush-bridle-core remains the
deferred, reversible
full-bash alternative engine behind the same registry seam (ADR 0005 D4 —
tracked on agent-bridle#20).
Structs§
- Jsonl
Sink - Network egress audit surface (#124, ADR 0016): the loopback proxy records
every proxy-visible connection as a
NetAuditEventthrough anAuditSink(default off; enable via theBRIDLE_NET_AUDITsetting). Thebridle-netmonbinary renders the JSON-lines stream as a live monitor. Append each event as one JSON line to aWrite(a file, stderr, a pipe). - NetAudit
Event - Network egress audit surface (#124, ADR 0016): the loopback proxy records
every proxy-visible connection as a
NetAuditEventthrough anAuditSink(default off; enable via theBRIDLE_NET_AUDITsetting). Thebridle-netmonbinary renders the JSON-lines stream as a live monitor. One audited egress connection through the proxy — a complete record of the child’s proxy-visible network activity (#124, ADR 0016). Serialised as one JSON line byJsonlSink; thebridle-netmonbinary renders a live view. - Null
Sink - Network egress audit surface (#124, ADR 0016): the loopback proxy records
every proxy-visible connection as a
NetAuditEventthrough anAuditSink(default off; enable via theBRIDLE_NET_AUDITsetting). Thebridle-netmonbinary renders the JSON-lines stream as a live monitor. The default sink — discard everything (audit off, zero overhead). - Shell
Tool - The confined shell tool.
Enums§
- NetDecision
- Network egress audit surface (#124, ADR 0016): the loopback proxy records
every proxy-visible connection as a
NetAuditEventthrough anAuditSink(default off; enable via theBRIDLE_NET_AUDITsetting). Thebridle-netmonbinary renders the JSON-lines stream as a live monitor. The proxy’s allow-list decision for one connection. - NetKind
- Network egress audit surface (#124, ADR 0016): the loopback proxy records
every proxy-visible connection as a
NetAuditEventthrough anAuditSink(default off; enable via theBRIDLE_NET_AUDITsetting). Thebridle-netmonbinary renders the JSON-lines stream as a live monitor. The kind of egress a child requested through the proxy.
Traits§
- Audit
Sink - Network egress audit surface (#124, ADR 0016): the loopback proxy records
every proxy-visible connection as a
NetAuditEventthrough anAuditSink(default off; enable via theBRIDLE_NET_AUDITsetting). Thebridle-netmonbinary renders the JSON-lines stream as a live monitor. A destination forNetAuditEvents — the operator’s audit trail.recordis called from a per-connection thread, so implementations must be thread-safe and must never block the connection for long.