Expand description
Per-agent sandbox policy definitions.
The SandboxPolicy struct defines the runtime security restrictions for
an agent or plugin. It maps from per-agent config (~/.clawft/agents/<id>/config.toml)
to enforceable sandbox rules.
The SandboxType enum determines which isolation mechanism is used:
Wasm– WASM sandbox (cross-platform, default for WASM plugins)OsSandbox– seccomp + landlock on Linux (default for native on Linux)Combined– both WASM + OS sandbox layers
Secure by default: The default sandbox type is NOT None. WASM plugins
get Wasm, native execution on Linux gets OsSandbox.
Structs§
- EnvPolicy
- Environment variable access policy.
- Filesystem
Policy - Filesystem access policy for a sandboxed agent.
- Network
Policy - Network access policy for a sandboxed agent.
- Process
Policy - Process execution policy for a sandboxed agent.
- Sandbox
Audit Entry - Audit log entry for a sandbox decision.
- Sandbox
Policy - Per-agent sandbox policy.
Enums§
- Sandbox
Type - Sandbox isolation mechanism.